我正在创建一个动态网页,允许人们发布他们最喜欢的食谱。每个食谱下面都有一个链接,允许您对食谱进行评论。如果您发表评论,评论将发布在数据库中,除非评论中有任何撇号。这是addcomment.inc.php页面的代码:
<?php
$con = mysql_connect("localhost", "test", "test") or die('Sorry, could not connect to database server');
mysql_select_db("recipe", $con) or die('Sorry, could not connect to database');
$recipeid = $_GET['id'];
$query = "select title from recipes where recipeid = $recipeid";
$result = mysql_query($query) or die('Could not retrieve file: ' . mysql_error());
echo "<form action=\"index.php\" method=\"post\">\n";
if (mysql_num_rows($result) == 0) {
$title = "Unknown Title";
}
else {
while($row=mysql_fetch_array($result, MYSQL_ASSOC)) {
$title = $row['title'];
}
}
echo "<h2>Enter your comment for the recipe \"$title.\" </h2>";
echo "<textarea rows=\"10\" cols=\"50\" name=\"comment\"></textarea><br>\n";
echo "Submitted by:<input type=\"text\" name=\"poster\"><br>\n";
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<input type=\"hidden\" name=\"content\" value=\"addcomment\">\n";
echo "<br><input type=\"submit\" value=\"Submit\">\n";
echo "</form>\n";
?>
另一个名为addcomment.inc.php的php文件检索信息。这是下面的代码:
<?php
$recipeid = $_POST['recipeid'];
$poster = $_POST['poster'];
$comment = htmlspecialchars($_POST['comment']);
$date = date("Y-m-d");
$con = mysql_connect("localhost", "test", "test") or die('Could not connect to server');
mysql_select_db("recipe", $con) or die('Could not connect to database');
$query = "INSERT INTO comments (recipeid, poster, date, comment) " .
" VALUES ($recipeid, '$poster', '$date', '$comment')";
$result = mysql_query($query) or die('Could not query databse. ' . mysql_error());
if ($result)
echo "<h2>Comment posted</h2>\n";
else
echo "<h2>Sorry, there was a problem posting your comment</h2>\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
?>
如果输入到评论表单中,如何使此代码正确处理单引号?
答案 0 :(得分:5)
在将任何内容粘贴到MySql查询之前,将其传递给mysql_real_escape_string()
在将任何内容粘贴到HTML之前,请通过htmlspecialchars()
传递它这样可以防止SQL注入,JavaScript / HTML注入和野火。
答案 1 :(得分:2)
你必须使用mysql_real_escape_string()
$comment = mysql_real_escape_string($_POST['comment']);
答案 2 :(得分:1)
当您使用mysql_real_escape_string()将输入传递给MySQL时,您必须转义输入,以避免用户执行SQL injection并对您的数据库进行恶意处理。
示例:
// wrong
$query = "select title from recipes where recipeid = $recipeid";
// correct
$query = "select title from recipes where recipeid = " . mysql_real_escape_string($recipeid);
当您将输出传递到具有htmlspecialchars()(或URL中为urlencode())的浏览器时,您还必须转义输出,否则有人可能会在您的数据库中插入一些恶意HTML或JavaScript代码,并且然后使用XSS attack攻击您的其他用户。
示例:
// wrong
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
// correct
echo "<input type=\"hidden\" name=\"recipeid\" value=\"" . htmlspecialchars($recipeid) . "\">\n";
echo "<a href=\"index.php?content=showrecipe&id=" . urlencode($recipeid) . "\">Return to recipe</a>\n";