0
我试图保护数据用户通过我的网站上的表单提交,以便他们不能以HTML格式提交数据。我正在尝试以下内容,但是当我测试它时,我仍然能够提交HTML数据,并且在我从DB读取数据时输入并显示HTML时,它将数据写入数据库。mysql_real_escape_string不工作?
if (isset($_POST['submit'])) {
if (strlen($_POST['topictitle']) < 10) {
$errors .= "<div>You topic title must be 10 characters or longer!</div>";
} else {
$thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
}
if (strlen($_POST['content']) < 10) {
$errors .= "<div>You message must be 10 characters or longer!</div>";
} else {
$content = mysqli_real_escape_string($db_connect, $_POST['content']);
}
if (isset($errors)) {
$error_message = "<div class=\"error_box\">$errors</div>";
$smarty->assign ('error_message', $error_message);
} else {
$thread_sql = "
INSERT INTO forum_threads (
user_id,
forum_id,
thread_postdate,
thread_lastpost,
thread_title,
thread_description,
thread_icon
) VALUES (
'$_SESSION[user_id]',
'$_GET[f]',
'$date',
'$date',
'$thread_title',
IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
)
";
$thread_query = @mysqli_query ($db_connect, $thread_sql);
$select_thread_sql = "
SELECT
thread_id
FROM
forum_threads
WHERE
thread_id = LAST_INSERT_ID()
";
$select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
$select_thread = mysqli_fetch_assoc($select_thread_query);
$thread_id = $select_thread['thread_id'];
$post_sql = "
INSERT INTO forum_posts (
user_id,
thread_id,
post_message,
post_date
) VALUES (
'$_SESSION[user_id]',
'$thread_id',
'$content',
'$date'
)
";
$post_query = @mysqli_query ($db_connect, $post_sql);
$url = $url . "forum.php?t=" . $thread_id;
header("Location: $url");
exit();
}
}
+1然而正在实施的样子,只有'ヶ辆()'提供全面的安全性以防止XSS攻击,'用strip_tags()'本身不会削减它 – 2010-11-04 18:38:51
'strip_tags'是除非你把字符串放在属性中。如果和ENT_QUOTES一起使用,'htmlentities'只是'安全的'。 – mario 2010-11-04 18:41:30