I am making a dynamic web page that allows people to post their favorite recipes. Below each recipe is a link that allows you to make a comment on the recipe. If you make a comment, the comment will be posted in the database UNLESS the comment has any apostrophes in it. Here's the code for the addcomment.inc.php page:
<?php
$con = mysql_connect("localhost", "test", "test") or die('Sorry, could not connect to database server');
mysql_select_db("recipe", $con) or die('Sorry, could not connect to database');
$recipeid = $_GET['id'];
$query = "select title from recipes where recipeid = $recipeid";
$result = mysql_query($query) or die('Could not retrieve file: ' . mysql_error());
echo "<form action=\"index.php\" method=\"post\">\n";
if (mysql_num_rows($result) == 0) {
$title = "Unknown Title";
}
else {
while($row=mysql_fetch_array($result, MYSQL_ASSOC)) {
$title = $row['title'];
}
}
echo "<h2>Enter your comment for the rec开发者_高级运维ipe \"$title.\" </h2>";
echo "<textarea rows=\"10\" cols=\"50\" name=\"comment\"></textarea><br>\n";
echo "Submitted by:<input type=\"text\" name=\"poster\"><br>\n";
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<input type=\"hidden\" name=\"content\" value=\"addcomment\">\n";
echo "<br><input type=\"submit\" value=\"Submit\">\n";
echo "</form>\n";
?>
A different php file called addcomment.inc.php retrieves the information. This is the code below:
<?php
$recipeid = $_POST['recipeid'];
$poster = $_POST['poster'];
$comment = htmlspecialchars($_POST['comment']);
$date = date("Y-m-d");
$con = mysql_connect("localhost", "test", "test") or die('Could not connect to server');
mysql_select_db("recipe", $con) or die('Could not connect to database');
$query = "INSERT INTO comments (recipeid, poster, date, comment) " .
" VALUES ($recipeid, '$poster', '$date', '$comment')";
$result = mysql_query($query) or die('Could not query databse. ' . mysql_error());
if ($result)
echo "<h2>Comment posted</h2>\n";
else
echo "<h2>Sorry, there was a problem posting your comment</h2>\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
?>
How can I make this code properly handle single quotes if inputted into a comment form?
Before you glue anything into the MySql query pass it through mysql_real_escape_string()
Before you glue anything into HTML pass it through htmlspecialchars()
This way you can prevent SQL injections, JavaScript/HTML injections and wildfires.
You have to use mysql_real_escape_string()
$comment = mysql_real_escape_string($_POST['comment']);
You have to escape the input when you pass it on to MySQL with mysql_real_escape_string()
, to avoid that the user can perform an SQL injection and do stuff evil with your database.
Example:
// wrong
$query = "select title from recipes where recipeid = $recipeid";
// correct
$query = "select title from recipes where recipeid = " . mysql_real_escape_string($recipeid);
You also have to escape the output when you pass it on to the browser with htmlspecialchars()
(or urlencode()
in URLs), otherwise someone could insert some malicious HTML or JavaScript code in your database, and then attack your other users with a XSS attack.
Example:
// wrong
echo "<input type=\"hidden\" name=\"recipeid\" value=\"$recipeid\">\n";
echo "<a href=\"index.php?content=showrecipe&id=$recipeid\">Return to recipe</a>\n";
// correct
echo "<input type=\"hidden\" name=\"recipeid\" value=\"" . htmlspecialchars($recipeid) . "\">\n";
echo "<a href=\"index.php?content=showrecipe&id=" . urlencode($recipeid) . "\">Return to recipe</a>\n";
精彩评论