发表新帖
发表新帖

PDO prepared statements to store html content

前端 未结
关注
2 756
被撕碎了的回忆
被撕碎了的回忆 2021-01-15 08:29

I\'m looking for a way to handle HTML content within prepared statements.

My application provides a basic WYSIWYG Editor and after the user is saving the content my

相关标签:
2条回答
  • 长发绾君心
    2021-01-15 08:47

    Prepared statements do not escape variables. The command and the variables are transferred to database simultaneously but independently. If you see your data escaped in database, there's another reason. E.g. magic_quotes are turned on. Can you echo get_magic_quotes_gpc in your script to see if they're On or Off? If they're On, you can set them Off using different techniques. This will solve the problem.

    Additionaly, following your comment, prepared statements do prevent SQL injection attacks so you don't have to worry about escaping your variables. What may be difficult to understand is the way the prepared statements work. Say you have a query:

    $query = "SELECT `id` FROM `users` WHERE `login` = '" . $login . "' AND `password` = '" . $password ."'";

    $login and $password are passed to the query directly, as they are. If someone attempts to pass mylogin' -- to $login, the query becomes:

    $query = "SELECT `id` FROM `users` WHERE `login` = 'mylogin' -- ' AND `password` = 'anypassword'";

    and is send to the database. This way an attacker can gain access to any account.

    What prepared statements do, they transfer the query arguments independly of the query. The query is NOT build of the variables before it is transferred to database. Instead, the variables are transferred somehow next to the query. They are referenced in the query. This way the query can't be spoofed neither intentionally nor unintentionally.

    With prepared statement the exampled $login will be transferred as is, and will not affect the query structure.

    If it would be possible to carry passengers by plane, with passengers actually NOT boarding the plane, that would be called a "prepared flight" :) Passengers would not be able to influence the route and hijack the plane. They would have appeared at the target airport with the plane landing.

    0 讨论(0)
  • 情深已故
    2021-01-15 08:51

    have you tried to store the data encoded?

    http://php.net/base64_encode

    or http://php.net/serialize

    should work if used before / after the db is used

    0 讨论(0)
 看不清?
提交回复
热议问题