0

我有一个脚本可以让艺术家编辑他们的个人资料。一件事被证明是一个问题。我无法清理用户输入的内容。每次将 ' 放入数据中时,都不会显示它,因为它会缩短 php。

这是我的简历表格:

username = $_SESSION['username'];
    $pass = $_SESSION['password']; 
   include ("../database.php");
   $result = mysql_query("SELECT * FROM members WHERE username='$username' AND     password='$pass' AND artist='Y'");

while($row = mysql_fetch_array($result)){

       echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
       <textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
       <div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>

       </div>';

这是上传到数据库的脚本;

$username = $_SESSION['username']; 
    $pass = $_SESSION['password'];

     $artistname = $_POST['artistname'];
     $bio = $_POST['bio'];




include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");

$artisturl = mysql_query("SELECT * FROM members  
WHERE username='$username' AND password='$pass'  AND artist='Y'");

while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php?    artist=".$row['artistname']."");}
}

}
else echo'<p1>You must be an artist to use these features.</p1>';

是的,我知道我需要升级到 mysqli,并且我知道我需要使用准备好的语句。不过需要先解决这个问题。

4

2 回答 2

0

在向数据库输入任何内容之前,只需调用它:

mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);
于 2012-06-07T01:03:51.090 回答
0

如果您要在 SQL 查询中使用用户输入,则需要对其进行清理。这是一个简单的例子。

$username = mysql_real_escape_string($_SESSION['username']); 
$pass = mysql_real_escape_string($_SESSION['password']);
$artistname = mysql_real_escape_string($_POST['artistname']);
$bio = mysql_real_escape_string($_POST['bio']);

include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");
于 2012-06-07T11:08:54.350 回答