发表新帖
发表新帖

Inserting html code in a mysql table

后端 未结
关注
11 815
我在风中等你
我在风中等你 2020-12-11 01:14

I use joomla to manage a website... and i am developing a stand alone php application that will insert and modify data into the tables that are used by joomla to store the

相关标签:
11条回答
  • 爱一瞬间的悲伤
    2020-12-11 01:42

    You should not need slashes. The only thing that will cause a problem during normal inserts is the quotes, and mysql_escape_string() should handle that excepting charset issues. Try mysql_real_escape_string() as well.

    Also, note that storing raw user-supplied HTML in the database can lead to security issues. Consider using something like bbcode or markdown instead.

    0 讨论(0)
  • 醉梦人生
    2020-12-11 01:44

    This is the best way i found addslashes() 

    $article_code = addslashes($article_code);

UPDATE $jos_content
SET    introtext = '$intro_code',
       fulltext  = '$article_code'
WHERE  id = '$article_id'";
    0 讨论(0)
  • 梦谈多话
    2020-12-11 01:47

    Calling the mysql_escape_string() function passing in the variable that holds the html text like:

    mysql_escape_string($_POST["text"]);

    will ensure that the special characters like quotes in the text will not cause a php error and the database will be updated successfully.

    0 讨论(0)
  • 栀梦
    2020-12-11 01:49

    I had the same problem, I fixed it with regular expressions. You can use something like this: $target = '{~p class={{q}}important-text{{q}}~}Some text here {~/p~}';

    and then use the preg_replace() function:

    class handle  
{ 
  public static function makehtml($target)   
  {
    $output = preg_replace("#{~#", "<", $target);
    $output = preg_replace("#~}#", ">", $target);
    $output = preg_replace("#{{q}}#", '"', $target);  
    return $output;
 }  
}  
echo handle::makehtml($target);
// output : <p class="important-text">Some text here</p>
    0 讨论(0)
  • 天涯浪人
    2020-12-11 01:50

    Well..Debugged it.. Turns out the problem was after all not with the escaping function...

    Check out the query :

    UPDATE $jos_content
SET    introtext = '$intro_code',
       fulltext  = '$article_code'
WHERE  id = '$article_id'";

    You can see the 'fulltext' field... Apparently, the word "fulltext" is a mysql keyword... To be precise,it's a field type like TEXT, INT, MEDIUMTEXT etc...

    I changed the query to this

    "UPDATE $jos_content
SET    $jos_content.introtext = '$intro_code',
       $jos_content.fulltext  = '$article_code'
WHERE  $jos_content.id = '$article_id'";

    And voila...!!!!

    0 讨论(0)
  • 我寻月下人不归
    2020-12-11 01:51

    I prefer to convert code to ordinary string before inserting to database. I think, it's most safe scenario. Consider using this code:

    $article_code = base64_encode($article_code);
/* insert to database */

    So, when you want to use that code back, just decode using base64_decode. I suggest you to use 'text' data type for saving $article_code rather than 'varchar'.

    0 讨论(0)
 看不清?
提交回复
热议问题