在mysql数据库中安全地保存和显示HTML和特殊字符?
[英]Saving and Displaying HTML and special characters in a mysql database safely?
问题描述
The title basically sums it up. 
标题基本上是总结。 I built a small blog but I cant even post links in my articles! 我建立了一个小博客,但我什至不能在我的文章中发布链接! What can I do? 我能做什么? I've tried htmlentities() , htmlspecialchars() , real_escape_string() and basically every form of escape there is. 我已经尝试了htmlentities() , htmlspecialchars() , real_escape_string() ,基本上每种形式的转义都存在。 I am using PHP 5.3 with MySQL 5.1 我正在将PHP 5.3与MySQL 5.1一起使用
Here is my code to save the blog to the db: 这是将博客保存到数据库的代码:
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlentities($data);
if ($problem && strlen($data) == 0)
{
die($problem);
}
return $data;
}
if(isset($_POST['addBlog'])) { //form submitted?
// get form values, escape them and apply the check_input function
$title = $link->real_escape_string($_POST['title']);
$category = $link->real_escape_string(check_input($_POST['category'], "You must choose a category."));
$content = $link->real_escape_string(check_input($_POST['blogContent'], "You can't publish a blog with no blog... dumbass."));
$date = $link->real_escape_string(check_input($_POST['pub_date'], "What day is it foo?"));
// our sql query
$sql = $link->prepare("INSERT INTO pub_blogs (title, date, category, content) VALUES (?, ?, ?, ?)");
$sql->bind_param('ssss', $title, $date, $category, $content);
//save the blog
#mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
$sql->execute();
if (!$sql)
{
print "<p> Your Blog Was NOT Saved. </p>";
}
}
and here is my code to display the blog: 这是我显示博客的代码:
// Grab the data from our people table
$result = mysqli_query($link, "SELECT * FROM pub_blogs ORDER BY date DESC") or die ("Could not access DB: " . mysqli_error($link));
while ($row = mysqli_fetch_assoc($result))
{
$id = $link->real_escape_string($row['id']);
$title = $link->real_escape_string($row['title']);
$date = $link->real_escape_string($row['date']);
$category = $link->real_escape_string($row['category']);
$content = $link->real_escape_string($row['content']);
$id = stripslashes($id);
$title = stripslashes($title);
$date = stripslashes($date);
$category = stripslashes($category);
$content = stripslashes($content);
echo "<div class='blog_entry_container'>";
echo "<span class='entry_date'><a href='#'>" .$date. "</a> - </span><span class='blog_title'><a class='blogTitleLink' href='blog-view.php?id=" .$id. "'>" .$title. "</a></span>";
echo "<p>" .$content. "</p>";
echo "</div>";
}
1 个解决方案
解决方案1
5 已采纳 2012-09-27 03:50:29
While encoding characters is a good thing, one must make sure not to over-encode. 虽然编码字符是一件好事,但必须确保不要过度编码。
Only encode what /needs/ encoded at that time. 仅对当时需要的内容进行编码。 Don't encode the HTML before putting it into your database. 在将HTML放入数据库之前,请勿对HTML进行编码。 You may want to print things out later, or you may want to run searches against it. 您可能需要稍后打印出来,或者可能要对其进行搜索。 Use the proper escape sequences for SQL (or, better yet, use PDO ). 对SQL使用正确的转义序列(或者最好使用PDO )。
Only when you are sending things to the browser should you escape the HTML, and then you need to decide what kind of escaping you need. 仅当将内容发送到浏览器时,才应转义HTML,然后需要确定需要哪种转义。 To convert things like < and & as the character entities so they will display properly, then use the right escape method for that. 要将<和&类的东西转换为字符实体,以便它们正确显示,然后使用正确的转义方法 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.