在mysql数据库中安全地保存和显示HTML和特殊字符? [英] Saving and Displaying HTML and special characters in a mysql database safely?

查看:151
本文介绍了在mysql数据库中安全地保存和显示HTML和特殊字符?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

标题基本上是总结起来的.我建立了一个小博客,但我什至不能在我的文章中发布链接!我能做些什么?我已经尝试过htmlentities()htmlspecialchars()real_escape_string(),基本上每种形式的转义都有.我正在将PHP 5.3与MySQL 5.1一起使用

The title basically sums it up. I built a small blog but I cant even post links in my articles! What can I do? I've tried htmlentities(), htmlspecialchars(), real_escape_string() and basically every form of escape there is. I am using PHP 5.3 with MySQL 5.1

这是我将博客保存到数据库的代码:

Here is my code to save the blog to the db:

function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlentities($data);
if ($problem && strlen($data) == 0)
{
    die($problem);
}
    return $data;
}

if(isset($_POST['addBlog'])) { //form submitted?

// get form values, escape them and apply the check_input function
$title = $link->real_escape_string($_POST['title']);
$category = $link->real_escape_string(check_input($_POST['category'], "You must choose a category."));
$content = $link->real_escape_string(check_input($_POST['blogContent'], "You can't publish a blog with no blog... dumbass."));
$date = $link->real_escape_string(check_input($_POST['pub_date'], "What day is it foo?"));

 // our sql query
$sql = $link->prepare("INSERT INTO pub_blogs (title, date, category, content) VALUES (?, ?, ?, ?)");
$sql->bind_param('ssss', $title, $date, $category, $content);


//save the blog     
#mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
$sql->execute();

if (!$sql) 
{
    print "<p> Your Blog Was NOT Saved. </p>";
}
}

这是显示博客的代码:

// Grab the data from our people table
        $result = mysqli_query($link, "SELECT * FROM pub_blogs ORDER BY date DESC") or die ("Could not access DB: " . mysqli_error($link));

        while ($row = mysqli_fetch_assoc($result))
        {   
            $id = $link->real_escape_string($row['id']);
            $title = $link->real_escape_string($row['title']);
            $date = $link->real_escape_string($row['date']);
            $category = $link->real_escape_string($row['category']);
            $content = $link->real_escape_string($row['content']);

            $id = stripslashes($id);
            $title = stripslashes($title);
            $date = stripslashes($date);
            $category = stripslashes($category);
            $content = stripslashes($content);

            echo "<div class='blog_entry_container'>";
            echo "<span class='entry_date'><a href='#'>" .$date. "</a> - </span><span class='blog_title'><a class='blogTitleLink' href='blog-view.php?id=" .$id. "'>" .$title. "</a></span>"; 
            echo "<p>" .$content. "</p>";
            echo "</div>";
        }

推荐答案

虽然编码字符是一件好事,但必须确保不要过度编码.

While encoding characters is a good thing, one must make sure not to over-encode.

仅对当时的/needs/进行编码.在将HTML放入数据库之前,请勿对HTML进行编码.您可能需要稍后打印出东西,或者可能要对其进行搜索.为SQL使用正确的转义序列(或者更好的是,使用PDO).

Only encode what /needs/ encoded at that time. Don't encode the HTML before putting it into your database. You may want to print things out later, or you may want to run searches against it. Use the proper escape sequences for SQL (or, better yet, use PDO).

仅在将内容发送到浏览器时,才应转义HTML,然后才需要确定所需的转义类型.要将<&之类的内容转换为字符实体,以便它们正确显示,请使用右转义方法.

Only when you are sending things to the browser should you escape the HTML, and then you need to decide what kind of escaping you need. To convert things like < and & as the character entities so they will display properly, then use the right escape method for that.

这篇关于在mysql数据库中安全地保存和显示HTML和特殊字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆