我有一个脚本,可以让艺术家编辑他们的个人资料。有一件事被证明是一个问题。我不知道如何消毒用户输入的内容。每次a'被放入数据都没有显示,因为它削减了php短。
这是我的生物形式:
username = $_SESSION['username'];
$pass = $_SESSION['password'];
include ("../database.php");
$result = mysql_query("SELECT * FROM members WHERE username='$username' AND password='$pass' AND artist='Y'");
while($row = mysql_fetch_array($result)){
echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
<textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
<div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>
</div>';
以下是上传到数据库的脚本;
$username = $_SESSION['username'];
$pass = $_SESSION['password'];
$artistname = $_POST['artistname'];
$bio = $_POST['bio'];
include ("../database.php");
mysql_query("UPDATE members SET bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass' AND artist='Y'");
$artisturl = mysql_query("SELECT * FROM members
WHERE username='$username' AND password='$pass' AND artist='Y'");
while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php? artist=".$row['artistname']."");}
}
}
else echo'<p1>You must be an artist to use these features.</p1>';
是的,我知道我需要升级到mysqli,我知道我需要使用预准备语句。首先需要对此进行排序。
答案 0 :(得分:0)
在向数据库输入任何内容之前,只需调用:
mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);
答案 1 :(得分:0)
如果您要在SQL查询中使用用户输入,则需要对其进行清理。 这是一个简单的例子。
$username = mysql_real_escape_string($_SESSION['username']);
$pass = mysql_real_escape_string($_SESSION['password']);
$artistname = mysql_real_escape_string($_POST['artistname']);
$bio = mysql_real_escape_string($_POST['bio']);
include ("../database.php");
mysql_query("UPDATE members SET bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass' AND artist='Y'");