Fatal编程技术网
  • php/
  • Php 无法清理用户输入的数据

Php 无法清理用户输入的数据

php mysql forms

Php 无法清理用户输入的数据,php,mysql,forms,Php,Mysql,Forms,我有一个脚本,允许艺术家编辑他们的个人资料。有一件事证明是个问题。我不知道如何清理用户输入的内容。每次在数据中加上“a”都不会显示,因为它缩短了php的长度 这是我的简历表: username = $_SESSION['username']; $pass = $_SESSION['password']; include ("../database.php"); $result = mysql_query("SELECT * FROM members WHERE userna

我有一个脚本,允许艺术家编辑他们的个人资料。有一件事证明是个问题。我不知道如何清理用户输入的内容。每次在数据中加上“a”都不会显示,因为它缩短了php的长度

这是我的简历表:

username = $_SESSION['username'];
    $pass = $_SESSION['password']; 
   include ("../database.php");
   $result = mysql_query("SELECT * FROM members WHERE username='$username' AND     password='$pass' AND artist='Y'");

while($row = mysql_fetch_array($result)){

       echo '<div id="artistsbio"><form action="phpscripts/artistupdate.php" method="post">
       <textarea name="bio" rows="10" cols="80" name="bio" value="'. $row['bio']. '" class="bio">'. $row['bio']. '</textarea><br>
       <div id="probwarn"><t1>Everything is still in the beta stage so there are bound to be a few problems. If you spot one please <a href="mailto:artists@newbornsounds.co.uk"><b>tell us about it.</b></a></t1></div>

       </div>';
下面是上传到数据库的脚本

$username = $_SESSION['username']; 
    $pass = $_SESSION['password'];

     $artistname = $_POST['artistname'];
     $bio = $_POST['bio'];




include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");

$artisturl = mysql_query("SELECT * FROM members  
WHERE username='$username' AND password='$pass'  AND artist='Y'");

while($row = mysql_fetch_array($artisturl)){
if (isset($_POST['submit'])) {header("location:../artists/artist.php?    artist=".$row['artistname']."");}
}

}
else echo'<p1>You must be an artist to use these features.</p1>';
是的,我知道我需要升级到mysqli,我知道我需要使用准备好的语句。不过,需要先对其进行分类。

在向数据库输入任何内容之前,只需调用:

mysql_real_escape_string($YOUR_POSSIBLY_QUOTED_STRING);
如果要在SQL查询中使用用户输入,则需要对其进行清理。 这里有一个简单的例子

$username = mysql_real_escape_string($_SESSION['username']); 
$pass = mysql_real_escape_string($_SESSION['password']);
$artistname = mysql_real_escape_string($_POST['artistname']);
$bio = mysql_real_escape_string($_POST['bio']);

include ("../database.php");
mysql_query("UPDATE members SET  bio='$bio', artistname ='$artistname'
WHERE username='$username' AND password='$pass'  AND artist='Y'");
如果你转向准备好的陈述,那么你就不必解决这种令人沮丧的问题。。。