使用php在mysql数据库中保存

时间:2022-09-26 08:38:39

I have a cms that I am working on for a client, he wants to add a code textbox so he can paste special code for pages on a page by page basis. So, I need to be able to give the user a way to input javascript tags into a page they are editing. When that page loads, the java code will show and run.

我有一个我正在为客户工作的cms,他想添加一个代码文本框,这样他就可以逐页粘贴页面的特殊代码。因此,我需要能够为用户提供一种方法,将javascript标签输入到他们正在编辑的页面中。当该页面加载时,java代码将显示并运行。

For example, Facebook code - it would be pasted into this code textarea and saved in the mysql database.

例如,Facebook代码 - 它将粘贴到此代码textarea并保存在mysql数据库中。

Note - the site is still using mysql_query and has not been converted, client has been told but they have no interest in updating so need the example done in mysql_query.

注意 - 该站点仍在使用mysql_query并且尚未转换,客户端已被告知,但他们没有兴趣更新,所以需要在mysql_query中完成的示例。

 <script type="text/javascript">(function(d, s, id) {
    var js, fjs = d.getElementsByTagName(s)[0];
    if (d.getElementById(id)) return;
    js = d.createElement(s); js.id = id;
    js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
    fjs.parentNode.insertBefore(js, fjs);
 }(document, 'script', 'facebook-jssdk'));</script>

How can I safely save this to the database without breaking the javascript?

如何在不破坏javascript的情况下将其安全地保存到数据库中?

thanks!

谢谢!

2 个解决方案

#1

1  

Don't use mysql_real_escape_string

It's a step in the right direction but is not perfect. You need to use parameterised queries

这是朝着正确方向迈出的一步,但并不完美。您需要使用参数化查询

eg...

例如...

$stmt = $dbh->prepare("INSERT INTO snippets (url, snippet) VALUES (:url, :snippet)");
$stmt->bindParam(':url', $url);
$stmt->bindParam(':snippet', $snippet);

// insert one row
$url = '/path/to/page';

$snippet = "<script type=\"text/javascript\">/*Your Javascript goes here*/</script>";
// OR
$snippet = $_REQUEST['Snippet'];

$stmt->execute();

#2

1  

If you use mysql_real_escape_string you should be able to escape any characters that would otherwise mess with you query.

如果你使用mysql_real_escape_string,你应该能够转义任何会破坏你查询的字符。

$jsData = $_POST['jsData'];
"Insert into yourTable (someColumn) VAlUES('" . mysql_real_escape_string($jsData) . "')";

After having a little chat with @Basic, I am going to point out to you that I strongly suggest you consider switching over to mysqli or pdo as these two classes will provide you with a safer way to query your database, and possibly even a faster way to do so.

在与@Basic聊聊之后,我将向您指出我强烈建议您考虑切换到mysqli或pdo,因为这两个类将为您提供更安全的查询数据库的方式,甚至可能更快这样做的方式。

#1

1  

Don't use mysql_real_escape_string

It's a step in the right direction but is not perfect. You need to use parameterised queries

这是朝着正确方向迈出的一步,但并不完美。您需要使用参数化查询

eg...

例如...

$stmt = $dbh->prepare("INSERT INTO snippets (url, snippet) VALUES (:url, :snippet)");
$stmt->bindParam(':url', $url);
$stmt->bindParam(':snippet', $snippet);

// insert one row
$url = '/path/to/page';

$snippet = "<script type=\"text/javascript\">/*Your Javascript goes here*/</script>";
// OR
$snippet = $_REQUEST['Snippet'];

$stmt->execute();

#2

1  

If you use mysql_real_escape_string you should be able to escape any characters that would otherwise mess with you query.

如果你使用mysql_real_escape_string,你应该能够转义任何会破坏你查询的字符。

$jsData = $_POST['jsData'];
"Insert into yourTable (someColumn) VAlUES('" . mysql_real_escape_string($jsData) . "')";

After having a little chat with @Basic, I am going to point out to you that I strongly suggest you consider switching over to mysqli or pdo as these two classes will provide you with a safer way to query your database, and possibly even a faster way to do so.

在与@Basic聊聊之后,我将向您指出我强烈建议您考虑切换到mysqli或pdo,因为这两个类将为您提供更安全的查询数据库的方式,甚至可能更快这样做的方式。

标签:

相关文章