有人可以告诉我我做错了什么吗?我正在尝试使用 php 过滤器清理和验证表单用户输入。此输入将进入 mySql 数据库,然后是 html 页面输出,因此我需要删除所有 html 标记并为 mySQL 提供安全性。
谢谢。
/*
* BEGIN Sanitize and validate
*/
// Adding fields to sanitize array.
$filters = array(
'author' => FILTER_SANITIZE_SPECIAL_CHARS,
'title' => FILTER_SANITIZE_SPECIAL_CHARS,
'description' => FILTER_SANITIZE_SPECIAL_CHARS,
);
/*** apply the filters to the POST array ***/
$filtered = filter_input_array(INPUT_POST, $filters);
// filtering out anything that isn't an email address
$sanitized_email = filter_var(($_POST["email"]), FILTER_SANITIZE_EMAIL);
if ( filter_var($sanitized_email, FILTER_VALIDATE_EMAIL) == TRUE) {
echo '';
} else {
echo 'Invalid Email Address. Go Back.';
exit;
}
/*
* BEGIN sanitize and validate
*/
新代码但仍然无法正常工作。我做错了什么。仍然在数据库中获取 html 并且错误不起作用。
/*
* BEGIN Sanitize and validate
*/
// Adding fields to sanitize array.
$filters = array(
'author' => FILTER_SANITIZE_STRING,
'title' => FILTER_SANITIZE_STRING,
'description' => FILTER_SANITIZE_STRING,
);
/*** apply the filters to the POST array ***/
$filtered = filter_input_array(INPUT_POST, $filters);
$filters = array_map('mysql_real_escape_string',$filters);
$filters = array_map('htmlspecialchars',$filters);
if ( filter_var_array($filtered, FILTER_SANITIZE_STRING)) {
echo '';
} else {
echo 'Invalid Input. Go Back.';
exit;
}
// filtering out anything that isn't an email address
$sanitized_email = filter_var(($_POST['email']), FILTER_SANITIZE_EMAIL);
if ( filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {
echo '';
} else {
echo 'Invalid Email Address. Go Back.';
exit;
}
/*
* BEGIN sanitize and validate
*/
第二次编辑如下:
通过将清理代码添加到将数据带入数据库的脚本区域,将清理后的数据显示在数据库中。
$_POST['author'] = mysql_real_escape_string(trim($_POST['author']));
$author=filter_var($_POST['author'], FILTER_SANITIZE_STRING);
$_POST['email'] = mysql_real_escape_string(trim($_POST['email']));
$email=filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
现在我必须完成验证电子邮件的尝试。