我有一个 clean_string 函数应用于我的应用程序中的文本条目,但我担心它过于激进。向数据库提交带有单引号或双引号的文本会导致它打印出奇数字符。
clean_string 函数
<?php
/*
ini_set('display_errors', 1);
error_reporting(E_ALL);
*/
function clean_string($string) {
$string = trim($string);
$string = utf8_decode($string);
$string = str_replace("#", "#", $string); $string = str_replace("%", "%", $string);
if (mysql_real_escape_string($string)) {
$string = mysql_real_escape_string($string);
}
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return htmlentities($string);
}
?>
在文本字段中输入诸如“Hello”或“world”之类的文本会产生以下结果:
clean_string 函数被调用如下:
//Clean
if ($submit == 'Submit') {
$submit = clean_string($_POST['submit']);
require_once("db_connect.php");
$watchlist_name = clean_string($_POST['watchlist-name']);
$watchlist_description = clean_string($_POST['watchlist-description']);
$watchlist_category = $_POST['watchlist-category'];
$existing_watchlist_name = clean_string($_POST['existing-watchlist']);
$addWatchlist_bad_message = '';
$addWatchlist_good_message = '';
if ($db_server) {
// Add new Watchlisth
if (!empty($watchlist_name)) {
$watchlist_name = clean_string($watchlist_name);
$watchlist_description = clean_string($watchlist_description);
mysql_select_db($db_database);
// Create new Watchlist
$insert_new_watchlist = "INSERT INTO watchlists (user_id, name, description, category) VALUES ('$user_id', '$watchlist_name', '$watchlist_description', '$watchlist_category')";
mysql_query($insert_new_watchlist) or die("Insert failed. " . mysql_error() . "<br />" . $insert_new_watchlist);
// Insert film into new Watchlist
$add_new_film = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES (" . mysql_insert_id() .", '$rt_id')";
mysql_query($add_new_film) or die("Insert failed. " . mysql_error() . "<br />" . $add_new_film);
$addWatchlist_good_message = '<div class="alert alert-success">Watchlist created successfully, and film added!</div>';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
} else if (!empty($existing_watchlist_name)) {
mysql_select_db($db_database);
// Select existing Watchlist
$existing_watchlist_select = "SELECT watchlist_id FROM watchlists WHERE name = '$existing_watchlist_name'";
$existing_watchlist_select_result = mysql_query($existing_watchlist_select);
$existing_watchlist_id = mysql_result($existing_watchlist_select_result, 0);
// Add film to existing Watchlist
$insert_into_existing = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES ('$existing_watchlist_id', '$rt_id')";
mysql_query($insert_into_existing) or die("Insert failed. " . mysql_error() . "<br />" . $insert_into_existing);
$addWatchlist_good_message = '<div class="alert alert-success">Film successfully added to existing Watchlist!</div>';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
}
} else {
$addWatchlist_bad_message = '<div class="alert alert-error">Error: could not connect to the database.</div.';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
}
require_once("db_close.php");
}