包含未格式化的 html 标签的帖子
我正在编写一个简单的类似 cms 的解决方案来跟踪我的愚蠢想法。 一切都很顺利,但我现在在将 Xinha RTE 插件实现到我的应用程序中时遇到一些困难。
我已经按照他们的现场教程进行操作,它似乎有效,但是......
在对文本、标题段落等进行格式化时。尽管标签已正确保存在 mysql 数据库中:
<h1>heading</h1>
<p>text example</p>
它们显示为:
<h1>heading</h1><p>text example</p> (concatenated and NOT formatted , displaying tags in stead)
或
<p>tesy</p> <h4>fgfg<br /></h4> <h2> </h2>
最后一个示例输出是因为我做了这个更改:
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
那只是因为他们的论坛上有人说转义 html 特殊字符是“愚蠢的” - 因为 html 标签是由它们组成的。
我很难具体说明实际问题。因此我的问题有点草率。我希望有人和我一样,能够在正确的方向上提供一些解释或指导。
我现在会去喝咖啡并思考这个问题,如果有任何新消息,我会带来更新。 现在,我将留给您执行后期处理的实际脚本。
谢谢,
<?php
include_once 'bin/configDb.php';
include_once 'bin/connectDb.php';
include_once 'header.php';
//get stuff from post
$topicSub = $_POST['topic_subject'];
//$topicSub = mysql_real_escape_string($topicSub);
$topicSub = htmlspecialchars($topicSub);
$topicCat = $_POST['topicCat'];
// $topicCat = mysql_real_escape_string($topicCat);
$sesId = $_GET['username'];
//the form has been posted, so save it
//insert the topic into the topics table first, then we'll save the post into the posts table
$postCon = $_POST['post_content'];
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
$sql = "INSERT INTO
topics(topic_subject, topic_date, topic_cat, topic_by)
VALUES('$topicSub', NOW(), '$topicCat', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your data. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
//the first query worked, now start the second, posts query
//retrieve the id of the freshly created topic for usage in the posts query
$topicId = mysql_insert_id();
$sql = "INSERT INTO
posts(post_content,
post_date,
post_topic,
post_by)
VALUES
('$postCon', NOW(), '$topicId', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your post. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
$sql = "COMMIT;";
$result = mysql_query($sql);
//after a lot of work, the query succeeded!
echo 'You have successfully created <a href="topic.php?id='. $topicid . '">your new topic</a>.';
header("location:admin.php");
}
}
include_once 'footer.php';
?>
I am writing a simple cms-like solution to keep track of my silly ideas.
Everything is going great, but I am now having some difficulties implementing the Xinha RTE plugin into my application.
I have followed their on-site tutorial, and it seems to be working but...
When making formatting to a text, headings paragraphs etc. Though the tags are saved correctly in the mysql database:
<h1>heading</h1>
<p>text example</p>
they are displayed as:
<h1>heading</h1><p>text example</p> (concatenated and NOT formatted , displaying tags in stead)
or
<p>tesy</p> <h4>fgfg<br /></h4> <h2> </h2>
the last example output is because I made this change:
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
That was only because someone at their forum said that it would be "dumb" to escape html special chars - since html tags are made up of them.
I have a really hard time specifying the actual problem. hence my question is a little sloppy. I hope that some out there have been where I am now, and can provide some explanation or guidance in the right direction.
I will go drink coffee and ponder on this for now, and bring updates if I got anything new.
For now I will just leave you with the actual script which does the post handling.
thanks,
<?php
include_once 'bin/configDb.php';
include_once 'bin/connectDb.php';
include_once 'header.php';
//get stuff from post
$topicSub = $_POST['topic_subject'];
//$topicSub = mysql_real_escape_string($topicSub);
$topicSub = htmlspecialchars($topicSub);
$topicCat = $_POST['topicCat'];
// $topicCat = mysql_real_escape_string($topicCat);
$sesId = $_GET['username'];
//the form has been posted, so save it
//insert the topic into the topics table first, then we'll save the post into the posts table
$postCon = $_POST['post_content'];
//$postCon = mysql_real_escape_string($postCon);
$postCon = htmlspecialchars($postCon);
$sql = "INSERT INTO
topics(topic_subject, topic_date, topic_cat, topic_by)
VALUES('$topicSub', NOW(), '$topicCat', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your data. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
//the first query worked, now start the second, posts query
//retrieve the id of the freshly created topic for usage in the posts query
$topicId = mysql_insert_id();
$sql = "INSERT INTO
posts(post_content,
post_date,
post_topic,
post_by)
VALUES
('$postCon', NOW(), '$topicId', '$sesId' )";
$result = mysql_query($sql);
if(!$result)
{
//something went wrong, display the error
echo 'An error occured while inserting your post. Please try again later.' . mysql_error();
$sql = "ROLLBACK;";
$result = mysql_query($sql);
}
else
{
$sql = "COMMIT;";
$result = mysql_query($sql);
//after a lot of work, the query succeeded!
echo 'You have successfully created <a href="topic.php?id='. $topicid . '">your new topic</a>.';
header("location:admin.php");
}
}
include_once 'footer.php';
?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您错过了 mysql_real_escape_string 的目的。它可以使任意字符串数据安全在 SQL 查询中使用。这是一种防止SQL注入攻击的方法。 htmlspecialchars 对于防止 SQL 注入攻击没有任何帮助。您正在使用螺丝刀来钉钉子。它可能在某些情况下有效,但无法涵盖所有情况。正是这些“未发现”的案例将允许某人从前门溜进来攻击您的网站。
You've missed the purpose of mysql_real_escape_string. It's there to make arbitrary string data SAFE to use in an SQL query. It's an SQL injection attack prevention method. htmlspecialchars will not help at all to prevent SQL injection attacks. You're using a screwdriver to drive in a nail. It may work in some cases, but won't ever cover all the cases. And it's those "uncovered" cases that will allow someone to attack your site by waltzing in through the front door.
我发现问题出在代码的完全不同的区域。它是在显示内容的代码中,愚蠢的我。这是一个
htmlentities(stripslashes())
做着有趣的事情。
谢谢你让我把它放在那里。
Marc B,再次感谢您处理我的 SQL 注入问题。请随意以我的方式提出更多建议。
我确实采纳了你最后的建议:)个人感谢你
I found the issue to be in a completely different area of the code. It was in the code that displayed the content, silly me. It was a
htmlentities(stripslashes())
doing the funny business.
Thanks for letting me put it out there.
Marc B, thanks for once again dealing with my sql injection issues. Feel free to pitch more recommendations my way.
I did take your last advice into use :) personal thanks to you