dongyan3018 2014-08-20 15:06
浏览 252
已采纳

UPDATE MySQL表时转义HTML

I'm trying to escape the string bellow (Text + Youtube HTML IFrame): HTML Form to Database

$maq = TEXT  TEXT  TEXT  TEXT  TEXT  TEXT  TEXT  TEXT +
<iframe width="300" height="265" src="//www.youtube.com/embed/0Ek2ayXgniw" frameborder="0" allowfullscreen></iframe>

To Update a MySQL Table:

$sql = "UPDATE maquinas SET 
        maq = $maq,
        WHERE id = $id";
require 'connect.inc';
$sql_result = mysql_query ($sql,$connection) or die ();

I tried these following PHP functions before MySQL Update:

htmlentities($maq);
addslashes($maq);
htmlspecialchars();
mysql_real_escape_string($maq)  **this before $sql_result**

None escaped HTML.

How can I do it ?

  • 写回答

1条回答 默认 最新

  • du27271 2014-08-20 15:27
    关注

    You must use mysql_real_escape_string on $maq only (before merging the parameters into $sql). It prepares the values for the database. This means, it escapes all dangerous chars like ", ', etc. < and > are not affected, because they don't affect the mysql command.
    BTW, you shouldn't use mysql_. It is deprecated. It's better to user mysqli_ or PDO.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)