mysql_real_escape_string不工作?

时间:2010-11-04 18:34:01

标签: php mysql

我正在尝试保护用户通过我网站上的表单提交的数据,这样他们就无法以HTML格式提交数据。我正在尝试以下操作,但是当我测试它时,我仍然可以提交HTML数据,并且在我输入时写入数据库并在我从数据库中读取时显示HTML。

if (isset($_POST['submit'])) {

    if ( strlen($_POST['topictitle']) < 10 ) {
        $errors .= "<div>You topic title must be 10 characters or longer!</div>";
    } else {
        $thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
    }

    if ( strlen($_POST['content']) < 10 ) {
        $errors .= "<div>You message must be 10 characters or longer!</div>";
    } else {
        $content = mysqli_real_escape_string($db_connect, $_POST['content']);
    }

    if (isset($errors)) {
        $error_message = "<div class=\"error_box\">$errors</div>";
        $smarty->assign ('error_message', $error_message);
    } else {
        $thread_sql = "
            INSERT INTO forum_threads (
                user_id,
                forum_id,
                thread_postdate,
                thread_lastpost,
                thread_title,
                thread_description,
                thread_icon
            ) VALUES (
                '$_SESSION[user_id]',
                '$_GET[f]',
                '$date',
                '$date',
                '$thread_title',
                IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
                IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
            )
        ";
        $thread_query = @mysqli_query ($db_connect, $thread_sql);

        $select_thread_sql = "
            SELECT
                thread_id
            FROM
                forum_threads
            WHERE
                thread_id = LAST_INSERT_ID()
        ";
        $select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
        $select_thread = mysqli_fetch_assoc($select_thread_query);

        $thread_id = $select_thread['thread_id'];

        $post_sql = "
            INSERT INTO forum_posts (
                user_id,
                thread_id,
                post_message,
                post_date
            ) VALUES (
                '$_SESSION[user_id]',
                '$thread_id',
                '$content',
                '$date'
            )
        ";
        $post_query = @mysqli_query ($db_connect, $post_sql);

        $url = $url . "forum.php?t=" . $thread_id;
        header("Location: $url");
        exit();
    }
}

1 个答案:

答案 0 :(得分:3)

mysqli_real_escape_string并不意味着转义HTML标记,只能通过其他方式防止SQL注入。如果您想阻止实施HTML,请查看strip_tagshtmlentities

相关问题
最新问题