PDO UPDATE似乎不存储引号? [英] PDO UPDATE doesn't seem to store quotes?

查看:105
本文介绍了PDO UPDATE似乎不存储引号?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我只是从PDO方法开始,现在我遇到了一个小问题.如果我创建一个将名字和姓氏插入数据库的表单,则可以使用以下代码插入所有类型的特殊字符:

I'm just starting out with PDO methods and now I'm stuck at a little question. If I create a form to insert first name and last name into a database I can insert all types of special characters with the code below:

try {
    $db = new PDO('mysql:dbhost=' . $dbhost . ';dbname=' . $dbname, $dbuser, $dbpass);
    $db -> exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
    echo $e->getMessage();
}
$query = $db->prepare("INSERT INTO users(fname, lname) VALUES(:fname, :lname)");
$insert_array = array(
    ":fname" => $fname,
    ":lname" => $lname
);
$query->execute($insert_array);
$db = NULL;

我可以毫无问题地插入":;,-!"#¤%&&(%)?{][]}£$€{{{$@@_--",甚至可以插入SQL注入.但是,当我尝试使用类似的代码更新数据库时,它确实接受除引号之外的所有类型的特殊字符.这是为什么?我用来更新的代码是:

I can insert ":;,-!"#¤%&&(%)?{][]}£$€{{{$@@_--" without any problems, even insert an SQL-injection. But when I try to update the database with a similar code it does accepts all types of special characters, except quotes. Why is that? The code I'm using to update is:

try {
    $db = new PDO('mysql:dbhost=' . $dbhost . ';dbname=' . $dbname, $dbuser, $dbpass);
    $db -> exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
    echo $e->getMessage();
}
$query = $db->prepare("UPDATE users SET fname=:fname, lname=:lname WHERE userid=:userid");
$update_array = array(
    ":fname" => $fname,
    ":lname" => $lname,
    ":userid" => $_GET['userid']
);
$query->execute($update_array);
$db = NULL;

我非常感谢我能获得的所有帮助.

I'm grateful for all the help I can get.

-= SOLUTION =-

我必须使用htmlspecialchars()来解码"字符串.像这样:

I had to use htmlspecialchars() to "decode" the string. Like this:

<form action="" method="post">
    First name<br><input type="text" name="fname" value="'.htmlspecialchars($user['fname']).'">
    Last name: <br><input type="text" name="lname" value="'.htmlspecialchars($user['lname']).'">
    <input type="submit">
</form>

现在,各种特殊字符都可以完美工作. 感谢大家的帮助,非常感谢! :D

Now all kinds of special characters works perfectly. Thanks for all help everybody, really appreciate it! :D

推荐答案

Waleed Khan是正确的.在这种情况下,不一定要摆弄自己(尽管您在此处显示了一个明显的漏洞,并为此类攻击敞开了大门),但据我所知,只是破坏了您的html.

Waleed Khan is correct I believe. Not necessarily xssing yourself in this case (though this is a clear vulnerability you show here and leave the door wide-open for such attacks), but instead just breaking your html as far as I can tell.

通过仅回显$user['fname']$user['lname']值的原始值(其中包含先前提交的双引号),您会在绘制时无意中允许html元素属性值过早关闭,从而破坏了HTML格式.惊讶的是它仍然完全服从.在浏览器中,检查诸如Firebug之类的内容并检查表单-您应该看到输入格式奇怪,并可能在其后绘制了一些额外的字符.

By just echoing $user['fname'] and $user['lname'] values raw - which contain double quotes from the previous submission - you inadvertently allow the premature closure the html element attribute value as you draw it, thus breaking your HTML form. Surprised it still submits at all. In your browser, check something like Firebug and examine the form - you should see the input is oddly formed and maybe some extra characters drawn after it.

始终在PHP值上使用 htmlentities()或其他类似的转义帮助函数然后直接在HTML中回显它们.总是.

Always use htmlentities() or other similar escape helper functions on PHP values before echoing them directly in HTML. Always.

示例:

<form action="" method="post">
    First name<br><input type="text" name="fname" value="<?php echo htmlentities( $user['fname'], ENT_COMPAT, 'UTF-8' ); ?>">
    Last name: <br><input type="text" name="lname" value="<?php echo htmlentities( $user['lname'], ENT_COMPAT ); ?>">
    <input type="submit">
</form>

关于您的主张,如果我删除表单值中的引号,则会使用引号进行更新",这是指您使用单引号而不是双引号来设置HTML元素属性值引号,它实际上根本不起作用.

regarding your claim that "And it's working to update with quotes if I delete the quotes in the value of the form", which I take to mean you set your HTML element attribute values using single-quotes rather than double-quotes, it's really not working at all.

如果用户提交的值带有单引号,则同样会破坏您的固定示例,因为该值中的单引号会过早关闭您的HTML元素属性值声明.最好使用双引号声明HTML元素属性值,但是如果在构建HTML元素时选择使用单引号,则在PHP中,请使用htmlentities($string, ENT_QUOTES).

If the user submitted a value with single quotes, it would similarly break your fixed example because a single quote in the value will prematurely close your HTML element attribute value declaration. Using double-quotes to declare an HTML element attribute value is best, but if you choose to use single quotes when you build the HTML element, then in PHP, use htmlentities($string, ENT_QUOTES).

请仔细阅读htmlentities手册页,以确保您正确使用它.

Do study the htmlentities manual page though to make sure you're using it properly.

这篇关于PDO UPDATE似乎不存储引号?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆