Inserting HTML data into db table_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-11 03:44 出处：网络

I\'m using following function before insertion html markup data into db table function html($data, $db)

相关专题：mysqli php

I'm using following function before insertion html markup data into db table

function html($data, $db)
{     
    $data = $db->escape_string($data);
    return $data;
}

But there is problem: i see "/" - slash 开发者_JAVA技巧before every " symbol For ex.

<p style=\"margin-top: 15px; margin-right: 0px; margin-bottom: 10px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; \">

How to deal with that problem?

No, it depends on what your escape_string() function does. And, moreover, wheter you have magic_quotes_gpc directive turned on or off (it should be off by default).

In order to insert safely into a database, you need to use mysql_real_escape_string() . NO addslashes(), NO home-brewed functions, but that one. Or, even better, use parametrized queries which lifts off your work of escaping quotes. Try with PDO

EDIT :

saw now the mysqli tag, so mysql_real_escape_string() is not an option, but the magic_quotes directive could still be the culprit for this.

In case you have magic_quotes on you can either turn them off in your PHP ini, through ini_set('magic_quotes_gpc',0); , .htacces php_flag magic_quotes_gpc Off or have a simple function like this:

function escape($value)
{
  if(get_magic_quotes_gpc())
  {
    $value = stripslashes($value);
  }
  //return mysql_real_escape_string($value);  changed after update
  return $value;
}

~~Be sure to have an open connection before using mysql_real_escape_string() or it will return FALSE.~~

Also, html DOESN'T NEED TO BE ESCAPED before going into a database. I mean, you need to escape YOUR QUERIES, and you achieve that by the methods I mentioned. Html and its maliciousness DOES NOTHING to the database.

Html needs to be escape ON OUTPUT, and only then, and you use htmlentities() at minimum, but further action is required in order to escape any possibile XSS injection vulnerabilities. It's a complex subject, it requires a lot of work in order to escape invisible control characters, malicious tags, and so on. You need to make further reasearch into this , and start reading about XSS Injection threats.

Anyway, not allowing a code to be executed on the browser is a start for this. Don't allow users to write html directly on your page (the same advice applies not only on user-submitted inputs, but on everything that comes from outside, like a $_GET parameter, or a Cookie, or even hidden form values) or you'll easily have a <script></script> dangerous problem, that can lead to cookie stealing, bad redirecting, traffic hijacking, an so many things I can't list here. USually htmlentities() provides a good level of protection against that, even though its output mithgt not be pretty.

mysql_real_escape_string is the answer

http://php.net/manual/en/function.mysql-real-escape-string.php

Your are getting with "/" because server is enabled the magic_quotes_gpc. you have to check the magic_quotes_gpc is enable or not.

if (get_magic_quotes_gpc()) {
    $text = stripslashes($text);
}
else {
    $text = $text;
}

use get_magic_quotes_gpc() to check.

I'm using http://php.net/manual/en/function.htmlspecialchars.php and http://www.php.net/manual/en/function.htmlspecialchars-decode.php to store html in the database.