我正在尝试使用一些简单的PHP更新MySQL表,但每次运行此命令时,都会收到错误消息:“站点处于脱机状态,请稍后再回来查看!”我输入的字符串只是一个简单的段落,但它里面有一些HTML代码。要让这个东西起作用需要什么样的消毒?这是代码:
if (!empty($_POST) && $_SESSION['logged'] == 1)
{
$title = $_POST['title1'];
$body = $_POST['body1'];
$query = "UPDATE pages SET title = '$title', body = '$body' WHERE id = '$id'";
$do_query = mysql_query($query) or die ("Site is offline, please check back later!");
}
我试图用以下内容更新的段落:
Lorem Ipsum is simply dummy text of the printing and typesetting industry. <br /><br />Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. <br /><br />Please visit <a href="http://lipsum.com">Lipsum's website</a> for more info.
答案 0 :(得分:4)
要直接回答您的问题,您的SQL查询失败了,因为您插入的文本包含单引号',而您没有转义它。
要解决此问题,您可以使用mysql_real_escape_string()来清理数据:
$title = mysql_real_escape_string($_POST['title1']);
$body = mysql_real_escape_string($_POST['body1']);
但是,我强烈建议您现在花些时间停止使用较旧的mysql_功能,然后切换到支持率更高的MySQLi或PDO图书馆;这些将允许您使用prepared statements来完全阻止此问题。
MySQLi的一个例子:
$mysqli = new mysqli("localhost", "user", "password", "database");
$stmt = $mysqli->prepare('UPDATE pages SET title = ?, body = ? WHERE id = ?');
$stmt->bind_param("s", $_POST['title1']);
$stmt->bind_param("s", $_POST['body1']);
$stmt->bind_param("i", $id);
$stmt->execute();