将 html/text 插入 mysql
我正在使用 TinyMCE 允许用户编辑某些页面的内容,问题是我应该存储 html 标签以及 class="" -es 和 ..etc。 我应该如何保护应用程序免受 SQL 注入并存储 html 标签? (主要问题是“ -s,它弄乱了 mysql 查询)
简而言之,我不知道如何将 $_POST (这是一个文本)添加到 insert_to_content() 函数中。
$html = "";
$url = "";if (isset($_GET["page"])) {$url = safesql($_GET["page"]);}
$sqlSelectPageText = mysql_query('SELECT * FROM content WHERE name="'.$url.'" LIMIT 1');
$pageText = mysql_fetch_array($sqlSelectPageText); /**/ $sqlSelectPageText = "";
if (isset($_GET["edit"]) and isset($_POST["text"])) {
insert_to_content($url,I_SHOULD_DO_SOMTHG_WAAA($_POST["text"]));
header('Location: admin.php?page='.$url);
}
$html .= '<div id="editor1div">';
$html .= '<form action="admin.php?page='.$url.'&edit" method="post">';
$html .= ' <input class="formsSubmit" type="image" src="images/yep2.png" alt="Save" />';
$html .= '<p>Content:</p>';
$html .= ' <textarea id="editor1" name="text">';
$html .= ' '.$pageText["text"]; /**/$pageText = "";
$html .= ' </textarea>';
$html .= '</form>';
$html .= '</div>';
echo $html;
function insert_to_content($whatPage, $text) {
if (mysql_query('UPDATE content SET text="'.$text.'", lastdate=NOW() WHERE name="'.$whatPage.'"')) {
return true;
} else {
return false;
}
}
function I_SHOULD_DO_SOMTHG_WAAA($text) {
//what should i do with it?
}
编辑:
@CaNNaDaRk: 我正在尝试使用您的工作,但从未使用过 PDO(或 OOP PHP)。
那么,我是否可能没有此功能? :D
“在..中找不到‘PDO’类”
`
$db = new PDO("mysql:host=$sqlHost;dbname=$sqlDb;$sqlUser,$sqlPass");
$stmt = $db->prepare('UPDATE content SET text=:text, lastdate=NOW() WHERE name=:name');
$stmt->execute( array(':text' => $html, ':name' => $whatPage ) );
I am using TinyMCE to allow users to edit the content of certain pages, the problem is that I should store html tags, along with class="" -es and ..etc.
How should I defend the application against SQL injection, and store the html tags? (main problem is the " -s, It is messing up the mysql query)
In nutshell, I don't know how to add the $_POST (which is a text) to the insert_to_content() function.
$html = "";
$url = "";if (isset($_GET["page"])) {$url = safesql($_GET["page"]);}
$sqlSelectPageText = mysql_query('SELECT * FROM content WHERE name="'.$url.'" LIMIT 1');
$pageText = mysql_fetch_array($sqlSelectPageText); /**/ $sqlSelectPageText = "";
if (isset($_GET["edit"]) and isset($_POST["text"])) {
insert_to_content($url,I_SHOULD_DO_SOMTHG_WAAA($_POST["text"]));
header('Location: admin.php?page='.$url);
}
$html .= '<div id="editor1div">';
$html .= '<form action="admin.php?page='.$url.'&edit" method="post">';
$html .= ' <input class="formsSubmit" type="image" src="images/yep2.png" alt="Save" />';
$html .= '<p>Content:</p>';
$html .= ' <textarea id="editor1" name="text">';
$html .= ' '.$pageText["text"]; /**/$pageText = "";
$html .= ' </textarea>';
$html .= '</form>';
$html .= '</div>';
echo $html;
function insert_to_content($whatPage, $text) {
if (mysql_query('UPDATE content SET text="'.$text.'", lastdate=NOW() WHERE name="'.$whatPage.'"')) {
return true;
} else {
return false;
}
}
function I_SHOULD_DO_SOMTHG_WAAA($text) {
//what should i do with it?
}
EDIT:
@CaNNaDaRk:
I am trying to use your work, but never used PDO (or OOP PHP) so.
So, is it possible that I don't have this function? :D
"Class 'PDO' not found in.."
`
$db = new PDO("mysql:host=$sqlHost;dbname=$sqlDb;$sqlUser,$sqlPass");
$stmt = $db->prepare('UPDATE content SET text=:text, lastdate=NOW() WHERE name=:name');
$stmt->execute( array(':text' => $html, ':name' => $whatPage ) );
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
它不仅是tinyMCE文本,还有可能导致SQL注入的整个脚本。对插入的每个参数使用 mysql_real_escape_string您的查询或考虑使用准备好的语句,例如PDO< /a>.
Its not only the tinyMCE text but rather your whole script that may lead to SQL injections. Either use mysql_real_escape_string for every parameter you insert into your query or think of using prepared statements such as PDO.
使用准备好的语句可以防止注入并帮助您解决“问题。
基于您的代码的一个小示例:
执行方法还返回 bool,因此您不必对代码进行太多更改。
Use of prepared statements can prevent injection and help you with the " issue.
A little example based on your code:
Execute method also returns bool so you don't have to change your code much.
mysql_real_escape_string()htmlspecialchars()以防止XSS。mysql_real_escape_string()as suggestedhtmlspecialchars()when adding content into the textarea to prevent XSS.您基本上需要对 html/sql 目标格式进行不同的引用。 没有什么比“通用引用”更好的了。引用时,总是引用某些特定输出的文本,例如:
likemysql 查询的表达式对于每种情况,您需要不同的引用,因为每种用法都存在于不同的语法上下文中。这也意味着不应在 PHP 的输入处进行引用,而应在特定的输出处进行引用!这就是像
magic_quotes_gpc这样的功能被破坏的原因(永远不要忘记处理它,或者更好,确保它被关闭!!!)。那么,在这些特殊情况下,人们会使用什么方法来引用呢? (请随意纠正我,可能有更现代的方法,但这些对我有用)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))< /code>htmlspecialchars($str)json_encode()- 仅适用于 utf8!我将我的函数用于 iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}'))- 在这种情况下你不能使用 preg_quote 因为反斜杠将被转义两次!preg_quote()You basically need different quoting for html/sql target formats. There is nothing like "universal quoting". When quoting, you always quote text for some particular output, like:
likeexpression for mysql queryFor each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like
magic_quotes_gpcare broken (never forget to handle it, or better, assure it is switched off!!!).So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))htmlspecialchars($str)json_encode()- only for utf8! I use my function for iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}'))- you cannot use preg_quote in this case because backslash would be escaped two times!preg_quote()