1

标题基本上概括了它。我建立了一个小博客,但我什至不能在我的文章中发布链接!我能做些什么?我试过了htmlentities(),基本上每一种逃避方式都有。我正在使用 PHP 5.3 和 MySQL 5.1htmlspecialchars()real_escape_string()

这是我将博客保存到数据库的代码:

function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlentities($data);
if ($problem && strlen($data) == 0)
{
    die($problem);
}
    return $data;
}

if(isset($_POST['addBlog'])) { //form submitted?

// get form values, escape them and apply the check_input function
$title = $link->real_escape_string($_POST['title']);
$category = $link->real_escape_string(check_input($_POST['category'], "You must choose a category."));
$content = $link->real_escape_string(check_input($_POST['blogContent'], "You can't publish a blog with no blog... dumbass."));
$date = $link->real_escape_string(check_input($_POST['pub_date'], "What day is it foo?"));

 // our sql query
$sql = $link->prepare("INSERT INTO pub_blogs (title, date, category, content) VALUES (?, ?, ?, ?)");
$sql->bind_param('ssss', $title, $date, $category, $content);


//save the blog     
#mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link));
$sql->execute();

if (!$sql) 
{
    print "<p> Your Blog Was NOT Saved. </p>";
}
}

这是我显示博客的代码:

// Grab the data from our people table
        $result = mysqli_query($link, "SELECT * FROM pub_blogs ORDER BY date DESC") or die ("Could not access DB: " . mysqli_error($link));

        while ($row = mysqli_fetch_assoc($result))
        {   
            $id = $link->real_escape_string($row['id']);
            $title = $link->real_escape_string($row['title']);
            $date = $link->real_escape_string($row['date']);
            $category = $link->real_escape_string($row['category']);
            $content = $link->real_escape_string($row['content']);

            $id = stripslashes($id);
            $title = stripslashes($title);
            $date = stripslashes($date);
            $category = stripslashes($category);
            $content = stripslashes($content);

            echo "<div class='blog_entry_container'>";
            echo "<span class='entry_date'><a href='#'>" .$date. "</a> - </span><span class='blog_title'><a class='blogTitleLink' href='blog-view.php?id=" .$id. "'>" .$title. "</a></span>"; 
            echo "<p>" .$content. "</p>";
            echo "</div>";
        }
4

1 回答 1

4

虽然编码字符是一件好事,但必须确保不要过度编码。

只对当时 /needs/ 编码的内容进行编码。在将 HTML 放入数据库之前不要对其进行编码。您可能想稍后打印出来,或者您可能想针对它运行搜索。为 SQL 使用正确的转义序列(或者,更好的是,使用PDO)。

只有当你向浏览器发送内容时,你才应该转义 HTML,然后你需要决定你需要什么样的转义。要将和之类的东西转换<&字符实体,以便它们正确显示,然后使用正确的转义方法

于 2012-09-27T03:50:29.430 回答