Textarea打破MySQL UPDATE查询

时间:2014-05-06 13:04:48

标签: php jquery mysql textarea

是否存在一个常见问题,如果文本中的文本多于单个句子,则会导致我的textarea破坏更新查询?

当我只输入一个句子时,更新查询运行正常,但是除了句子之外的任何内容都会破坏查询。

以下是表单代码:

<form id="cp_files_admin_form" method="post" enctype="multipart/form-data"> 

<label>File Manager Login Text</label>
<input id="login_text" type="text" name="login_text" value="File Manager Login">

<hr>    

<label>File Manager Login Logo</label>
<input id="login_logo" type="file" name="login_logo">

<hr>    

<label>Main Left Logo</label>
<input id="main_left_logo" type="file" name="main_left_logo">

<hr>    

<img class="form-img" src="" alt="">

<label>Main Center Logo</label> 
<input id="main_center_logo" type="file" name="main_center_logo">   

<hr>    

<label>File Manager Instructions Text</label>   
<textarea id="instructions_text" name="instructions_text" style="width:630px;height:150px;"></textarea>


<input id="submit" type="submit" value="Submit">

</form>

这是jQuery代码:

$(document).ready(function() {

    // Update CMS
    $(document).on('click', '#submit', function() { // catch the form's submit event
            // Send data to server through the ajax call
            // action is functionality we want to call and outputJSON is our data

            // fetch the data for the form
            var data = $('#cp_files_admin_form').serialize();

            console.log('Form Data Before Sent: '+data);

            $.ajax({
                url: 'update.php',
                data: data,
                type: 'GET',                   
                async: 'true',
                dataType: 'json',
                success: function (result) {
                    if(result.status) {
                        alert('CMS Update Successful!');      
                        getCMS();                    
                    } else {
                        alert('CMS Update unsuccessful!'); 
                    }
                },
                error: function (request,error) {
                    // This callback function will trigger on unsuccessful action                
                    alert('Network error has occurred please try again!');
                }
            });                   

        return false; // cancel original event to prevent form submitting
    }); 


});

这是update.php代码:

<?php

    header("Access-Control-Allow-Origin: *");

    require_once("debug/chromephp.php");

    $formData = $_GET;

    ChromePhp::log('$_GET Data: '.$formData['instructions_text']);

    require_once("config.php");

    $login_text = $formData['login_text'];
    //$login_logo = $formData['login_logo'];
    //$main_left_logo = $formData['main_left_logo'];
    //$main_center_logo = $formData['main_center_logo'];
    $instructions_text = $formData['instructions_text'];

    $sql="UPDATE cp_cms SET login_text='$login_text', instructions_text='$instructions_text' WHERE id = 1";

    $result = mysql_query($sql);

    if($result) {

        // Success
        $output = array('status' => true, 'massage' => 'Success!');
        echo json_encode($output);

    } else {

        // Failed
        $output = array('status' => false, 'massage' => 'Failed!');
        echo json_encode($output);

    }

?>

表格结构截图:

table_structure 非常感谢任何帮助。

1 个答案:

答案 0 :(得分:1)

试试这个,它可以防止表单中的条目破坏你的SQL查询。这也称为SQL注入攻击...

$sql="UPDATE cp_cms SET login_text='".
mysql_real_escape_string($login_text)."', instructions_text='".
mysql_real_escape_string($instructions_text)."' WHERE id = 1";

但是请看看PDO它是如此安全和容易......

编辑:我挖了一些PDO示例: http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P552.html