如何正确处理html表单中的撇号?
问题描述:
我正在制作一个动态网页,允许用户发布他们最喜欢的食谱。在每个食谱下面有一个链接,可以让你对食谱做出评论。如果您发表评论,则评论将被发布到数据库中,除非评论中有任何撇号。下面是该addcomment.inc.php页面的代码:所谓addcomment.inc.php如何正确处理html表单中的撇号?
<?php
$con = mysql_connect("localhost", "test", "test") or die('Sorry, could not connect to database server');
mysql_select_db("recipe", $con) or die('Sorry, could not connect to database');
$recipeid = $_GET['id'];
$query = "select title from recipes where recipeid = $recipeid";
$result = mysql_query($query) or die('Could not retrieve file: ' . mysql_error());
echo "<form action=\"index.php\" method=\"post\">\n";
if (mysql_num_rows($result) == 0) {
$title = "Unknown Title";
}
else {
while($row=mysql_fetch_array($result, MYSQL_ASSOC)) {
$title = $row['title'];
}
}
echo "<h2>Enter your comment for the recipe \"$title.\" </h2>";
echo "<textarea rows=\"10\" cols=\"50\" name=\"comment\"></textarea><br>\n";
echo "Submitted by:<input type=\"text\" name=\"poster\"><br>\n";
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<input type=\"hidden\" name=\"content\" value=\"addcomment\">\n";
echo "<br><input type=\"submit\" value=\"Submit\">\n";
echo "</form>\n";
?>
不同的PHP文件中检索信息。这是下面的代码:
<?php
$recipeid = $_POST['recipeid'];
$poster = $_POST['poster'];
$comment = htmlspecialchars($_POST['comment']);
$date = date("Y-m-d");
$con = mysql_connect("localhost", "test", "test") or die('Could not connect to server');
mysql_select_db("recipe", $con) or die('Could not connect to database');
$query = "INSERT INTO comments (recipeid, poster, date, comment) " .
" VALUES ($recipeid, '$poster', '$date', '$comment')";
$result = mysql_query($query) or die('Could not query databse. ' . mysql_error());
if ($result)
echo "<h2>Comment posted</h2>\n";
else
echo "<h2>Sorry, there was a problem posting your comment</h2>\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
?>
如何才能使此代码正确处理单引号如果输入到注释表单中?
答
在你粘上任何东西到MySQL查询使其通过mysql_real_escape_string()
在你粘上任何东西到HTML,让它通过用htmlspecialchars()
这样可以防止SQL注入,JavaScript/HTML注入和野火。
答
你必须使用mysql_real_escape_string()
$comment = mysql_real_escape_string($_POST['comment']);
答
当你将它传递给MySQL时,你必须跳过输入,以避免用户可以执行SQL injection并对数据库执行恶意操作。
例子:
// wrong
$query = "select title from recipes where recipeid = $recipeid";
// correct
$query = "select title from recipes where recipeid = " . mysql_real_escape_string($recipeid);
您还可以逃避,当你把它传递给浏览器(以URL或urlencode())htmlspecialchars(),否则有人可能会插入数据库中的一些恶意的HTML或JavaScript代码的输出,然后用XSS attack攻击您的其他用户。
实施例:
// wrong
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
// correct
echo "<input type=\"hidden\" name=\"recipeid\" value=\"" . htmlspecialchars($recipeid) . "\">\n";
echo "<a href=\"index.php?content=showrecipe&id=" . urlencode($recipeid) . "\">Return to recipe</a>\n";