论坛不显示来自mysql的HTML

Question

我有这个论坛的另一个问题。一切都很好，只是不张贴HTML。

当我发布没有任何html的线程时，它显示在线程视图上，但是如果我发布html，bold等东西，它根本不会显示。

继承人的后处理文件

<?php 

include "connect.php"; //connection string 

if(isset($_POST['submit'])) 

{ 

    $name=$_POST['name']; 

    $yourpost=$_POST['yourpost']; 

    $subject=$_POST['subject']; 

    if(strlen($name)<1) 

    { 

     print "You did not type in a name."; //no name entered 

    } 

    else if(strlen($yourpost)<1) 

    { 

     print "You did not type in a post."; //no post entered 

    } 

    else if(strlen($subject)<1) 

    { 

     print "You did not enter a subject."; //no subject entered 

    } 

    else 

    { 

     $thedate=date("U"); //get unix timestamp 

     $displaytime=date("F j, Y, g:i a"); 

     //we now strip HTML injections 

     $subject=strip_tags($subject); 

     $name=strip_tags($name); 

     $yourpost=strip_tags($yourpost); 

     $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')"; 

     mysql_query($insertpost) or die("Could not insert post"); //insert post 

     print "Message posted, go back to <A href='index.php'>Forum</a>."; 

    } 



} 

else 

{ 

    print "<form action='post.php' method='post'>"; 

    print '<input type="hidden" name="name" value="' . $_SESSION[usr_name] . '" size="20"><br>'; 

    print "Topic title:<br>"; 

    print "<input type='text' name='subject' size='20'><br>"; 

    print "Your message:<br>"; 

    print "<textarea name='yourpost' rows='5' cols='40' id='new_thread'></textarea><br>"; 

    print "<input type='submit' name='submit' value='submit'></form>"; 



} 

?> 
<script language="JavaScript"> 
    generate_wysiwyg('new_thread'); 
</script> 

这里是线程视图

<?php 

include "connect.php"; //mysql db connection here 

$id=$_GET['id']; 

$gettopic="SELECT * from forumtutorial_posts where postid='$id'"; 

$gettopic2=mysql_query($gettopic) or die("Could not get topic"); 

$gettopic3=mysql_fetch_array($gettopic2); 

print "<div id='left'>"; 

print "<div id='navi-body'>"; 

print "<a href='index.php'>Back to main forum</a> <a href='post.php'>New Topic</a> <A href='reply.php?id=$id'>Reply</a>"; 

print "</div>"; 

print "<div class='content'>"; 

print "<div class='content-header yellow'>$gettopic3[title]</div>"; 

print "<div class='content-mid'>"; 

$message=strip_tags($gettopic3['post']); 

$message=nl2br($message); 

print "$message"; 

print "<br /><br />"; 

print "Posted by: $gettopic3[author] Created at: $gettopic3[showtime]"; 

print "</div>"; 

print "<div class='content-footer'></div>"; 

print "</div>"; 

$getreplies="Select * from forumtutorial_posts where parentid='$id' order by postid desc"; //getting replies 

$getreplies2=mysql_query($getreplies) or die("Could not get replies"); 

while($getreplies3=mysql_fetch_array($getreplies2)) 

{ 

    print "<div class='content'>"; 

    print "<div class='content-header yellow'>$getreplies3[author] replied at $getreplies3[showtime]</div>"; 

    print "<div class='content-mid'>"; 

    $message=strip_tags($getreplies3['post']); 

    $message=nl2br($message); 

    print "$message"; 

    print "</div>"; 

    print "<div class='content-footer'></div>"; 

    print "</div>"; 

} 

print " "; 



?> 

我想让它显示HTML和非HTML。

Answer 1

..但你有strip_tags（）函数那里从字符串（后）条纹任何HTML或PHP标签。

$message=strip_tags($getreplies3['post']); 

您可能想要使用此函数的第二部分，并为您希望允许的那些标记添加一些额外的参数。 （如粗体，斜体等）

$message_with_some_html = strip_tags($getreplies3['post'], '<strong><em>'); 

我希望我是正确的，请检查PHP文件... :)

你也可能要消毒$ _ POST变量使用客户端输入之前用htmlentities（）和一些正则表达式语句来过滤掉可能的攻击