由于Wordpress不会保存包含PHP,HTML和SQL代码的帖子,因此我的技术博客没有起步。我将不得不修改Wordpress卫生方法或推出我自己的基本博客平台,但是在MySQL数据库中使用这种内容存储技术文本的正确和安全的方法是什么?
答案 0 :(得分:0)
我假设你正在使用php 最好是使用PDO,请参阅:http://www.php.net/manual/en/pdo.prepare.php
来自该网站
示例#1准备具有命名参数的SQL语句
<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
示例#2准备带有问号参数的SQL语句
<?php
/* Execute a prepared statement by passing an array of values */
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->execute(array(150, 'red'));
$red = $sth->fetchAll();
$sth->execute(array(175, 'yellow'));
$yellow = $sth->fetchAll();
?>
或者使用转义
在将值插入查询之前,使用mysql_real_escape_string()
来转义值。
$val1 = mysql_real_escape_string($_POST['value1']);
$query = "SELECT a,b,c FROM table1 WHERE a = '$val1' ";
// the quotes are essential ^ ^
将代码输出为代码
输出内容时使用:
echo "the output is: ".htmlentities($output);