将HTML数据插入到数据库表中 [英] Inserting HTML data into db table
问题描述
函数html($ data,$ db)在使用html标记数据插入db表之前,
{
$ data = $ db-> escape_string($ data);
返回$ data;
}
但有问题:我看到/ - 在每个
例如
< p style = \margin-top:15px; margin-right:0px; margin-bottom:10px; margin-left:0px; padding-top:0px; padding-right:0px; padding-bottom:10px; padding-left:0px; \>
如何处理这个问题?
<不过,这取决于你的escape_string()函数的作用。
此外,你有 magic_quotes_gpc 指令开启或关闭(默认情况下应关闭)。
为了安全地插入数据库,您需要使用 mysql_real_escape_string()
。 NO addslashes(),没有自酿功能,但那一个,或者甚至更好,使用参数化的查询,这可以消除你引用转义的工作。试试 PDO
编辑:
现在看到了mysqli标签,所以mysql_real_esc ape_string()不是一个选项,但是magic_quotes指令仍然可能是导致此问题的罪魁祸首。
如果你有magic_quotes,你可以将它们通过 另外,在进入数据库之前,html不需要退出。我的意思是,你需要摆脱你的问题,并且通过我提到的方法来达到目的。 Html及其恶意对数据库没有任何影响。 Html需要在OUTPUT中跳出,然后才能使用 htmlentities() ,但为了逃避任何可能的XSS注入漏洞,还需要采取进一步的行动。这是一个复杂的主题,它需要很多工作才能逃脱无形的控制角色,恶意标记等等。您需要进一步研究,并开始阅读关于XSS注入威胁。 无论如何,不允许在浏览器上执行代码是一个开始。 不允许用户直接在页面上写html (相同的建议不仅适用于用户提交的输入,而且适用于来自外部的所有内容,如$ _GET参数或Cookie,甚至是隐藏的表单值),否则您将很容易产生 I'm using following function before insertion html markup data into db table But there is problem: i see "/" - slash before every " symbol
For ex. How to deal with that problem? No, it depends on what your escape_string() function does.
And, moreover, wheter you have magic_quotes_gpc directive turned on or off (it should be off by default). In order to insert safely into a database, you need to use mysql_real_escape_string()
. NO addslashes(), NO home-brewed functions, but that one. Or, even better, use parametrized queries which lifts off your work of escaping quotes. Try with PDO EDIT : saw now the mysqli tag, so mysql_real_escape_string() is not an option, but the magic_quotes directive could still be the culprit for this. In case you have magic_quotes on you can either turn them off in your PHP ini, through Also, html DOESN'T NEED TO BE ESCAPED before going into a database. I mean, you need to escape YOUR QUERIES, and you achieve that by the methods I mentioned. Html and its maliciousness DOES NOTHING to the database. Html needs to be escape ON OUTPUT, and only then, and you use htmlentities() at minimum, but further action is required in order to escape any possibile XSS injection vulnerabilities. It's a complex subject, it requires a lot of work in order to escape invisible control characters, malicious tags, and so on. You need to make further reasearch into this , and start reading about XSS Injection threats. Anyway, not allowing a code to be executed on the browser is a start for this. Don't allow users to write html directly on your page (the same advice applies not only on user-submitted inputs, but on everything that comes from outside, like a $_GET parameter, or a Cookie, or even hidden form values) or you'll easily have a 这篇关于将HTML数据插入到数据库表中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! ini_set('magic_quotes_gpc',0); , .htacces php_flag magic_quotes_gpc关闭 code>或者有一个简单的函数:
$ p $ 函数escape($ value)
{
if(get_magic_quotes_gpc())
{
$ value = stripslashes($ value);
}
// return mysql_real_escape_string($ value);更新后更改
返回$ value;
}
在使用mysql_real_escape_string()或它将返回FALSE。
< script>< / script> 危险问题,这可能会导致cookie被窃取,重定向,流量劫持,我无法在这里列出很多东西。通常情况下,htmlentities()提供了很好的保护,即使它的输出mithgt不够漂亮。function html($data, $db)
{
$data = $db->escape_string($data);
return $data;
}
<p style=\"margin-top: 15px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; \">
ini_set('magic_quotes_gpc',0); , .htacces php_flag magic_quotes_gpc Off or have a simple function like this:function escape($value)
{
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
//return mysql_real_escape_string($value); changed after update
return $value;
}
Be sure to have an open connection before using mysql_real_escape_string() or it will return FALSE.<script></script> dangerous problem, that can lead to cookie stealing, bad redirecting, traffic hijacking, an so many things I can't list here. USually htmlentities() provides a good level of protection against that, even though its output mithgt not be pretty.
