0
我試圖保護數據用戶通過我的網站上的表單提交,以便他們不能以HTML格式提交數據。我正在嘗試以下內容,但是當我測試它時,我仍然能夠提交HTML數據,並且在我從DB讀取數據時輸入並顯示HTML時,它將數據寫入數據庫。mysql_real_escape_string不工作?
if (isset($_POST['submit'])) {
if (strlen($_POST['topictitle']) < 10) {
$errors .= "<div>You topic title must be 10 characters or longer!</div>";
} else {
$thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
}
if (strlen($_POST['content']) < 10) {
$errors .= "<div>You message must be 10 characters or longer!</div>";
} else {
$content = mysqli_real_escape_string($db_connect, $_POST['content']);
}
if (isset($errors)) {
$error_message = "<div class=\"error_box\">$errors</div>";
$smarty->assign ('error_message', $error_message);
} else {
$thread_sql = "
INSERT INTO forum_threads (
user_id,
forum_id,
thread_postdate,
thread_lastpost,
thread_title,
thread_description,
thread_icon
) VALUES (
'$_SESSION[user_id]',
'$_GET[f]',
'$date',
'$date',
'$thread_title',
IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
)
";
$thread_query = @mysqli_query ($db_connect, $thread_sql);
$select_thread_sql = "
SELECT
thread_id
FROM
forum_threads
WHERE
thread_id = LAST_INSERT_ID()
";
$select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
$select_thread = mysqli_fetch_assoc($select_thread_query);
$thread_id = $select_thread['thread_id'];
$post_sql = "
INSERT INTO forum_posts (
user_id,
thread_id,
post_message,
post_date
) VALUES (
'$_SESSION[user_id]',
'$thread_id',
'$content',
'$date'
)
";
$post_query = @mysqli_query ($db_connect, $post_sql);
$url = $url . "forum.php?t=" . $thread_id;
header("Location: $url");
exit();
}
}
+1然而正在實施的樣子,只有'ヶ輛()'提供全面的安全性以防止XSS攻擊,'用strip_tags()'本身不會削減它 – 2010-11-04 18:38:51
'strip_tags'是除非你把字符串放在屬性中。如果和ENT_QUOTES一起使用,'htmlentities'只是'安全的'。 – mario 2010-11-04 18:41:30