htmlspecialchars这是多余的

时间:2016-05-15 10:27:31

标签: php pdo

我需要在我的代码的两个地方使用htmlspecialchars吗? 我的印象是第一个实例将从输入框中删除html,如表格框,如果他们把html它将被剥离现在第二部分形式动作,我也使用htmlspecialchars我的印象这将是从帖子提交中删除html,就好像我试图用注射来修改查询一样,我不确定我是否有这个权利而且我怀疑我做的比我需要做的还要多,或者我做错了我没有&#39不知道。

        <?php    
 if (isset($_POST['submit'])) {

    $description = $_POST['description'];
    $cost = $_POST['cost'];
    $source = $_POST['source'];      
    if($description !=''&& $cost !=''&& $source !='')
{
header("Location: ./");
}
    try {
    $dbh = new pdo("mysql:host=localhost;dbname=tao", "tao", "tao");
        }
catch (Exception $e) {
    echo '<p>', $e->getMessage(), '</p>';
    exit;
}

    $stmt = $dbh->prepare ("INSERT INTO benz (description,cost,source) VALUES (:description,:cost,:source)");
    $stmt->bindParam(':description', $description, PDO::PARAM_STR);
    $stmt->bindParam(':cost', $cost, PDO::PARAM_INT);
    $stmt->bindParam(':source', $source, PDO::PARAM_STR);
    $stmt->execute();
 }
 $stmt = null;
?>

<link rel="stylesheet" type="text/css" href="css/five.css" />

<form class="basic-grey" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<p>Desc:<br />
<textarea cols="80" rows="2" name="description" id="description"></textarea></p>
<p>Cost:<br/><textarea cols="80" rows="2" name="cost" id="cost"></textarea></p>
<p>Srce:<br />
<textarea cols="80" rows="2" name="source" id="source"></textarea></p>




<p><input type="submit" name="submit" id="submit" value="Submit"></p>

</form>

我已经更新了我的代码以反映建议,似乎我需要专注于显示来自db的信息我不知道当我从数据库中提取数据时如何转义html是我的代码

<?php
try {
    $dbh = new pdo("mysql:host=localhost;dbname=tao", "tao", "kt3");
        }
catch (Exception $e) {
    echo '<p>', $e->getMessage(), '</p>';
    exit;
} 
$qry = 'SELECT * From benz';
$stmt = $dbh->query($qry);
$stmt->setFetchMode(PDO::FETCH_ASSOC);
class nav {
  public static function GenerateMenu($items) {

    $html = "<div><ul id='menu'>\n";

    foreach($items as $item) {
      $html .= "<li class='meu'> {$item['class']} {$item['url']} {$item['text']}</li>\n";
    }
    $html .= "</ul></div>\n";
    return $html;
  }
};

$menu = [];
foreach ($stmt as $row) {
    $menu[] = [ 
        'class' => $row['description'],
        'url' => $row['cost'],
        'text' => $row['source'],        
    ];
}; // end navigation
class total {
    public static function t() {
        try {
    $dbh = new pdo("mysql:host=localhost;dbname=tao", "tao", "tao3");
        }
catch (Exception $e) {
    echo '<p>', $e->getMessage(), '</p>';
    exit;
} 
        $qry = 'SELECT SUM(cost) FROM benz';
        $stmt = $dbh->query($qry);
        $stmt->setFetchMode(PDO::FETCH_ASSOC);

        $htm = "<ul id='menu'>\n";
        while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
        $htm .= "<li class='meu'>Total {$row['SUM(cost)']}</li>\n";
        $htm .="</ul>\n";
        return $htm;

    }
}
}

0 个答案:

没有答案
相关问题
最新问题