无法清理用户输入的数据

时间:2012-06-07 00:39:12

标签: php mysql forms

我有一个脚本,可以让艺术家编辑他们的个人资料。有一件事被证明是一个问题。我不知道如何消毒用户输入的内容。每次a'被放入数据都没有显示,因为它削减了php短。

这是我的生物形式:

username = $_SESSION['username'];
    $pass = $_SESSION['password']; 
   include ("../database.php");
   $result = mysql_query("SELECT * FROM members WHERE username='$username' AND     password='$pass' AND artist='Y'");

while($row = mysql_fetch_array($result)){

       echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
       <textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
       <div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>

       </div>';

以下是上传到数据库的脚本;

$username = $_SESSION['username']; 
    $pass = $_SESSION['password'];

     $artistname = $_POST['artistname'];
     $bio = $_POST['bio'];




include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");

$artisturl = mysql_query("SELECT * FROM members  
WHERE username='$username' AND password='$pass'  AND artist='Y'");

while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php?    artist=".$row['artistname']."");}
}

}
else echo'<p1>You must be an artist to use these features.</p1>';

是的,我知道我需要升级到mysqli,我知道我需要使用预准备语句。首先需要对此进行排序。

2 个答案:

答案 0 :(得分:0)

在向数据库输入任何内容之前,只需调用:

mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);

答案 1 :(得分:0)

如果您要在SQL查询中使用用户输入,则需要对其进行清理。 这是一个简单的例子。

$username = mysql_real_escape_string($_SESSION['username']); 
$pass = mysql_real_escape_string($_SESSION['password']);
$artistname = mysql_real_escape_string($_POST['artistname']);
$bio = mysql_real_escape_string($_POST['bio']);

include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");