clean_string函数过于激进

时间:2013-03-24 17:23:36

标签: php mysql database

我有一个clean_string函数应用于我的应用程序中的文本条目,但我担心它过于激进。将带有单引号或双引号的文本提交到数据库会导致打印出奇数字符。

clean_string函数

<?php
/*
        ini_set('display_errors', 1);
    error_reporting(E_ALL);
*/
    function clean_string($string) {
        $string = trim($string);
        $string = utf8_decode($string);
        $string = str_replace("#", "&#35", $string); $string = str_replace("%", "&#37", $string);

        if (mysql_real_escape_string($string)) {
            $string = mysql_real_escape_string($string);
        }

        if (get_magic_quotes_gpc()) {
            $string = stripslashes($string);
        }

        return htmlentities($string);
    }
?>

在文本字段中输入“Hello”或“world”等文本会产生以下结果: Aggressive clean_string

正在调用clean_string函数,如下所示:

//Clean
    if ($submit == 'Submit') {
        $submit = clean_string($_POST['submit']);
        require_once("db_connect.php");

        $watchlist_name = clean_string($_POST['watchlist-name']);
        $watchlist_description = clean_string($_POST['watchlist-description']);
        $watchlist_category = $_POST['watchlist-category'];

        $existing_watchlist_name = clean_string($_POST['existing-watchlist']);

        $addWatchlist_bad_message = '';
        $addWatchlist_good_message = '';

        if ($db_server) {
            // Add new Watchlisth
            if (!empty($watchlist_name)) {
                $watchlist_name = clean_string($watchlist_name);
                $watchlist_description = clean_string($watchlist_description);
                mysql_select_db($db_database);

                // Create new Watchlist
                $insert_new_watchlist = "INSERT INTO watchlists (user_id, name, description, category) VALUES ('$user_id', '$watchlist_name', '$watchlist_description', '$watchlist_category')";
                mysql_query($insert_new_watchlist) or die("Insert failed. " . mysql_error() . "<br />" . $insert_new_watchlist);

                // Insert film into new Watchlist
                $add_new_film = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES (" . mysql_insert_id() .", '$rt_id')";
                mysql_query($add_new_film) or die("Insert failed. " . mysql_error() . "<br />" . $add_new_film);
                $addWatchlist_good_message = '<div class="alert alert-success">Watchlist created successfully, and film added!</div>';?>
                <script>
                    $('a.add-watchlist').trigger('click');
                </script><?php
            } else if (!empty($existing_watchlist_name)) {
                mysql_select_db($db_database);

                // Select existing Watchlist
                $existing_watchlist_select = "SELECT watchlist_id FROM watchlists WHERE name = '$existing_watchlist_name'";
                $existing_watchlist_select_result = mysql_query($existing_watchlist_select);
                $existing_watchlist_id = mysql_result($existing_watchlist_select_result, 0);

                // Add film to existing Watchlist
                $insert_into_existing = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES ('$existing_watchlist_id', '$rt_id')";
                mysql_query($insert_into_existing) or die("Insert failed. " . mysql_error() . "<br />" . $insert_into_existing);
                $addWatchlist_good_message = '<div class="alert alert-success">Film successfully added to existing Watchlist!</div>';?>
                <script>
                    $('a.add-watchlist').trigger('click');
                </script><?php
            }
        } else {
            $addWatchlist_bad_message = '<div class="alert alert-error">Error: could not connect to the database.</div.';?>
            <script>
                $('a.add-watchlist').trigger('click');
            </script><?php
        }
        require_once("db_close.php");
    }

1 个答案:

答案 0 :(得分:0)

您可以在检索和回显数据时删除斜杠,或使用str_replace将其过滤掉。