stackoom
  简体   繁体   中英

mysql_real_escape_string not working?

 原文  2010-11-04 18:34:01       php/ mysql

Question

I'm trying to secure the data users submit via forms on my website so they cannot submit data in HTML. I am trying the following but when I test it, I'm still able to submit HTML data and it writes to the DB just as I entered and displays the HTML when I read from the DB. 

if (isset($_POST['submit'])) {

    if ( strlen($_POST['topictitle']) < 10 ) {
        $errors .= "<div>You topic title must be 10 characters or longer!</div>";
    } else {
        $thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
    }

    if ( strlen($_POST['content']) < 10 ) {
        $errors .= "<div>You message must be 10 characters or longer!</div>";
    } else {
        $content = mysqli_real_escape_string($db_connect, $_POST['content']);
    }

    if (isset($errors)) {
        $error_message = "<div class=\"error_box\">$errors</div>";
        $smarty->assign ('error_message', $error_message);
    } else {
        $thread_sql = "
            INSERT INTO forum_threads (
                user_id,
                forum_id,
                thread_postdate,
                thread_lastpost,
                thread_title,
                thread_description,
                thread_icon
            ) VALUES (
                '$_SESSION[user_id]',
                '$_GET[f]',
                '$date',
                '$date',
                '$thread_title',
                IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
                IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
            )
        ";
        $thread_query = @mysqli_query ($db_connect, $thread_sql);

        $select_thread_sql = "
            SELECT
                thread_id
            FROM
                forum_threads
            WHERE
                thread_id = LAST_INSERT_ID()
        ";
        $select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
        $select_thread = mysqli_fetch_assoc($select_thread_query);

        $thread_id = $select_thread['thread_id'];

        $post_sql = "
            INSERT INTO forum_posts (
                user_id,
                thread_id,
                post_message,
                post_date
            ) VALUES (
                '$_SESSION[user_id]',
                '$thread_id',
                '$content',
                '$date'
            )
        ";
        $post_query = @mysqli_query ($db_connect, $post_sql);

        $url = $url . "forum.php?t=" . $thread_id;
        header("Location: $url");
        exit();
    }
}

1 answers

solution1
 3 ACCPTED  2010-11-04 18:37:04

mysqli_real_escape_string is not meant to escape HTML tags, only prevent against SQL injection by other means. If you want to prevent HTML from being implemented look at strip_tags or htmlentities

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string() not working in cakePHP mysql_real_escape_string function not working mysql_real_escape_string not working mysql_real_escape_string is not working mysql_real_escape_string($value) not working mysql_real_escape_string not working on windows mysql_real_escape_string and ’ mysql_real_escape_string working perfectly in localhost, not working online mysql_real_escape_string does not escape " Why isn't mysql_real_escape_string working?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM