Question

我终于学会了如何做到这一点但问题是，当我点击lol.php？id = 2时，它仍会显示所有内容来源：

<?php

   mysql_connect("localhost", "root", "");
   mysql_select_db("blog");

   $result = mysql_query("SELECT post_id, title, body FROM posts ORDER BY post_id DESC");

   while ($row = mysql_fetch_array($result)){
      $jokeid = $row["post_id"];
      $title = $row["title"];
      $body = $row["body"];
      echo("<A HREF='lol.php?view=$jokeid'>$title</A>". "<br />". $body . "<br />");
   }
   mysql_close();
?>

以及任何安全建议，我应该在哪里应用mysql_reall_escape_string？

Answer 1

您没有任何用户输入的处理程序，尝试下面的操作，这将检查是否先设置id=NUMBER

<?php

mysql_connect("localhost", "root", "");
mysql_select_db("blog");
if ($_GET['id']) {
   $result = mysql_query("SELECT  title, body FROM posts WHERE post_id = ".intval($_GET['id']));
   $post = mysql_fetch_assoc($result);
   // use $post to show whatever you want here
}
else{
   $result = mysql_query("SELECT post_id, title, body FROM posts ORDER BY post_id DESC");

   while ($row = mysql_fetch_array($result)){
     $jokeid = $row["post_id"];
     $title = $row["title"];
     $body = $row["body"];
     echo("<A HREF='lol.php?view=".$jokeid."'>".$title."</A>". "<br />". $body . "<br />");
   }
}
mysql_close();

Answer 2

您需要使用htmlspecialchars()

转义数据库变量以进行输出

$title = htmlspecialchars($row["title"]);
$body = htmlspecialchars($row["body"]);
echo("<A HREF='lol.php?view=$jokeid'>$title</A>". "<br />". $body . "<br />");

如果数据库由用户输入填充，则可以防止跨站点脚本编写。

我的id = x只显示所有内容？

2 个答案: