好的,我有一个从头开始制作论坛的表格。我正在使用NBBC解析论坛的BBCode。这是代码。我主要关注的是将单引号转换为html实体。我也尝试过很多东西,包括htmlentities()。这是生成的错误消息:
ERROR [1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
这是当前的代码。我给出了需要重新检查的2个代码。
add_topic.php(Snippet)
require_once("nbbc/nbbc.php");
$bbcode = new BBCode;
$topic=$_POST['topic'];
$detail=htmlspecialchars($_POST['detail']);
$c_detail=$bbcode->Parse($detail);
$name=$_POST['name'];
$c_name=htmlspecialchars($name, ENT_QUOTES);
$c_topic=htmlspecialchars($topic, ENT_QUOTES);
$datetime=date("d/m/y h:i:s"); //create date time
$sql=("INSERT INTO $tbl_name(topic, detail, name, datetime)VALUES('$c_topic', '$c_detail', '$c_name', '$datetime')");
$result=mysql_query($sql);
if($result){
echo "Successful<BR>";
echo "<a href=main_forum.php>View your topic</a>";
}
else {
echo "ERROR [" . mysql_errno() . "] " . mysql_error();
}
add_answer.php
require_once("nbbc/nbbc.php");
$bbcode = new BBCode;
$a_name=$_POST['a_name'];
$a_subject=$_POST['a_subject'];
$a_answer=$bbcode->Parse($_POST['a_answer']);
$ac_name=htmlspecialchars($a_name, ENT_QUOTES);
$ac_subject=htmlspecialchars($a_name, ENT_QUOTES);
$datetime=date("d/m/y H:i:s"); // create date and time
$sql2="INSERT INTO $tbl_name(question_id, a_id, a_name, a_subject, a_answer, a_datetime)VALUES('$id', '$Max_id', '$ac_name', '$ac_subject', '$a_answer', '$datetime')";
$result2=mysql_query($sql2);
if($result2){
echo "Successful<br />";
echo "<a href='view_topic.php?id=".$id."'>View your answer</a>";
$tbl_name2="forum_question";
$sql3="UPDATE $tbl_name2 SET reply='$Max_id' WHERE id='$id'";
$result3=mysql_query($sql3);
}
else {
echo "ERROR [" . mysql_errno() . "] " . mysql_error();
}
重新澄清我需要的是删除所有html标签和任何其他脚本标签,解析BBCode,最后插入数据而不会出错。
答案 0 :(得分:3)
尝试mysql_real_escape_string()。应该工作!
http://php.net/manual/en/function.mysql-real-escape-string.php
答案 1 :(得分:2)
你需要使用mysql-real-escape-string http://php.net/manual/en/function.mysql-real-escape-string.php - 而不是htmlspecialchars