我对这个论坛有另一个问题。一切都很好,只是没有发布HTML。
当我发布没有任何html的线程时,它会在线程视图中显示,但是如果我用html,粗体等发布内容,它将根本不会显示。
继承帖子文件
<?php
include "connect.php"; //connection string
if(isset($_POST['submit']))
{
$name=$_POST['name'];
$yourpost=$_POST['yourpost'];
$subject=$_POST['subject'];
if(strlen($name)<1)
{
print "You did not type in a name."; //no name entered
}
else if(strlen($yourpost)<1)
{
print "You did not type in a post."; //no post entered
}
else if(strlen($subject)<1)
{
print "You did not enter a subject."; //no subject entered
}
else
{
$thedate=date("U"); //get unix timestamp
$displaytime=date("F j, Y, g:i a");
//we now strip HTML injections
$subject=strip_tags($subject);
$name=strip_tags($name);
$yourpost=strip_tags($yourpost);
$insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";
mysql_query($insertpost) or die("Could not insert post"); //insert post
print "Message posted, go back to <A href='index.php'>Forum</a>.";
}
}
else
{
print "<form action='post.php' method='post'>";
print '<input type="hidden" name="name" value="' . $_SESSION[usr_name] . '" size="20"><br>';
print "Topic title:<br>";
print "<input type='text' name='subject' size='20'><br>";
print "Your message:<br>";
print "<textarea name='yourpost' rows='5' cols='40' id='new_thread'></textarea><br>";
print "<input type='submit' name='submit' value='submit'></form>";
}
?>
<script language="JavaScript">
generate_wysiwyg('new_thread');
</script>
这是线程视图
<?php
include "connect.php"; //mysql db connection here
$id=$_GET['id'];
$gettopic="SELECT * from forumtutorial_posts where postid='$id'";
$gettopic2=mysql_query($gettopic) or die("Could not get topic");
$gettopic3=mysql_fetch_array($gettopic2);
print "<div id='left'>";
print "<div id='navi-body'>";
print "<a href='index.php'>Back to main forum</a> <a href='post.php'>New Topic</a> <A href='reply.php?id=$id'>Reply</a>";
print "</div>";
print "<div class='content'>";
print "<div class='content-header yellow'>$gettopic3[title]</div>";
print "<div class='content-mid'>";
$message=strip_tags($gettopic3['post']);
$message=nl2br($message);
print "$message";
print "<br /><br />";
print "Posted by: $gettopic3[author] Created at: $gettopic3[showtime]";
print "</div>";
print "<div class='content-footer'></div>";
print "</div>";
$getreplies="Select * from forumtutorial_posts where parentid='$id' order by postid desc"; //getting replies
$getreplies2=mysql_query($getreplies) or die("Could not get replies");
while($getreplies3=mysql_fetch_array($getreplies2))
{
print "<div class='content'>";
print "<div class='content-header yellow'>$getreplies3[author] replied at $getreplies3[showtime]</div>";
print "<div class='content-mid'>";
$message=strip_tags($getreplies3['post']);
$message=nl2br($message);
print "$message";
print "</div>";
print "<div class='content-footer'></div>";
print "</div>";
}
print " ";
?>
我希望它能够显示HTML和非HTML。
答案 0 :(得分:1)
..但你有strip_tags()函数,它从字符串(post)中绑定任何HTML或PHP标记。
$message=strip_tags($getreplies3['post']);
您可能希望使用此函数的第二部分,并为要允许的那些标记添加一些额外参数。 (如BOLD,ITALICS等)
$message_with_some_html = strip_tags($getreplies3['post'], '<strong><em>');
我希望我是对的,请查看PHP文档......:)
此外,您可能希望在使用客户端输入htmlentities()和一些正则表达式语句来过滤掉可能的攻击之前对$ _POST变量进行消毒