0

我对脚本很陌生,但我一直很好地遵循代码逻辑。我有两个工作脚本(发布在下面),一个将表单发布到 mysql 数据库,另一个在表的同一页面上提取信息。我在以下我想要完成的事情上找不到帮助。

1.)对表格进行消毒,我被告知它非常容易注射/其他。大多数人会提交文本,我希望他们最终能够发布由第二个脚本调用和点击的 html 链接。

2.)我希望回调脚本对信息进行排序,以便最新的帖子位于顶部。(我可以在名为“日期”的类别和内容旁边创建一个新的 mysql 列,自动检测日期/时间并将其用于排序吗?我很想看到一些示例代码。

这是提交表格

<html>
<div style="width:  330px;  height:  130px;  overflow:  auto;">
<form STYLE="color: #f4d468;" action="send_post.php" method="post">

    Category: <select STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000;" name="category">
<option value="category 1">category 1</option>
<option value="category 2">category 2</option>
<option value="category 3">category 3</option>
<option value="Other">Other</option>
</select> <br>

    <textarea overflow: scroll; rows="4" cols="60" STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000; width:300px; height:80px; margin:0; padding:0;" name="contents"></textarea><br>
    <input type="submit" STYLE="color: #919191; font-family: Veranda; font-weight: bold; font-size: 10px; background-color: #000000;" value="Create Log">
</form>
</div>
</html>

发送邮件.php

<?php
//Connecting to sql db.
$connect=mysqli_connect("localhost","myuser","mypassword","mydb");

header("Location: http://mywebsite.com/myhomepage.php");

if (mysqli_connect_errno()) { echo "Fail"; } else { echo "Success"; }

//Sending form data to sql db.
mysqli_query($connect,"INSERT INTO mydbtable (category, contents)
VALUES ('$_POST[category]', '$_POST[contents]')");

?>

并 get php 在页面上调用它

<?php
$con=mysqli_connect("localhost","myuser","mypassword","mydb");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$result = mysqli_query($con,"SELECT * FROM mydbtable");

echo "<table border='1'>
<tr>
<th>Category</th>
<th>Contents</th>
</tr>";

while($row = mysqli_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['category'] . "</td>";
  echo "<td>" . $row['contents'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysqli_close($con);
?> 

同样在两个脚本中使用 $con=mysqli_connect 命令连接的情况下,这基本上暴露了吗?有人不能直接访问 php 并查看该信息吗?

我非常感谢您的帮助,非常愿意阅读和学习正确的做事方式!

4

1 回答 1

0

These two questions will help you.

  1. How can I prevent SQL injection in PHP?

  2. How can I specify sql sort order in sql query

    SELECT * FROM mydbtable ORDER BY date
    

And for having db passwords and connections in the open... typically people just include that php file (even though it doesn't make it any safer). However, if you have root access to your filing systems, you could put it in a high enough directory where it is above your htdocs, and it won't be accessible by url.

dbconnect.php

$con=mysqli_connect("localhost","myuser","mypassword","mydb");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

index.php

include 'dbconnect.php';

However, this doesn't actually make it any safer, it only is convenient that you won't accidentally post your code with your password.

于 2013-09-24T18:35:52.123 回答