PDO UPDATE 似乎没有存储报价?
我刚开始使用 PDO 方法,现在我遇到了一个小问题.如果我创建一个将名字和姓氏插入数据库的表单,我可以使用以下代码插入所有类型的特殊字符:
I'm just starting out with PDO methods and now I'm stuck at a little question. If I create a form to insert first name and last name into a database I can insert all types of special characters with the code below:
try {
$db = new PDO('mysql:dbhost=' . $dbhost . ';dbname=' . $dbname, $dbuser, $dbpass);
$db -> exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
echo $e->getMessage();
}
$query = $db->prepare("INSERT INTO users(fname, lname) VALUES(:fname, :lname)");
$insert_array = array(
":fname" => $fname,
":lname" => $lname
);
$query->execute($insert_array);
$db = NULL;
我可以插入 ":;,-!"#¤%&&(%)?{][]}£$€{{{$@@_--"
任何问题,甚至插入 SQL 注入.但是当我尝试使用类似代码更新数据库时,它确实接受所有类型的特殊字符,引号除外.为什么会这样?我用来更新的代码是:
I can insert ":;,-!"#¤%&&(%)?{][]}£$€{{{$@@_--"
without any problems, even insert an SQL-injection. But when I try to update the database with a similar code it does accepts all types of special characters, except quotes. Why is that? The code I'm using to update is:
try {
$db = new PDO('mysql:dbhost=' . $dbhost . ';dbname=' . $dbname, $dbuser, $dbpass);
$db -> exec("SET CHARACTER SET utf8");
} catch(PDOException $e) {
echo $e->getMessage();
}
$query = $db->prepare("UPDATE users SET fname=:fname, lname=:lname WHERE userid=:userid");
$update_array = array(
":fname" => $fname,
":lname" => $lname,
":userid" => $_GET['userid']
);
$query->execute($update_array);
$db = NULL;
感谢我能得到的所有帮助.
I'm grateful for all the help I can get.
-=SOLUTION=-
我不得不使用 htmlspecialchars()
来解码"字符串.像这样:
I had to use htmlspecialchars()
to "decode" the string. Like this:
<form action="" method="post">
First name<br><input type="text" name="fname" value="'.htmlspecialchars($user['fname']).'">
Last name: <br><input type="text" name="lname" value="'.htmlspecialchars($user['lname']).'">
<input type="submit">
</form>
现在各种特殊字符都可以完美运行.感谢大家的帮助,真的很感激!:D
Now all kinds of special characters works perfectly. Thanks for all help everybody, really appreciate it! :D
推荐答案
我相信 Waleed Khan 是正确的.在这种情况下不一定要对自己进行 xssing(尽管这是您在此处展示的一个明显漏洞,并且为此类攻击敞开了大门),而是据我所知只是破坏了您的 html.
Waleed Khan is correct I believe. Not necessarily xssing yourself in this case (though this is a clear vulnerability you show here and leave the door wide-open for such attacks), but instead just breaking your html as far as I can tell.
仅通过回显 $user['fname']
和 $user['lname']
值 raw - 其中包含上一次提交的双引号 - 您无意中允许在您绘制它时过早关闭 html 元素属性值,从而破坏您的 HTML 表单.很惊讶它仍然提交.在您的浏览器中,检查诸如 Firebug 之类的内容并检查表单 - 您应该会看到输入的格式很奇怪,并且可能在其后绘制了一些额外的字符.
By just echoing $user['fname']
and $user['lname']
values raw - which contain double quotes from the previous submission - you inadvertently allow the premature closure the html element attribute value as you draw it, thus breaking your HTML form. Surprised it still submits at all. In your browser, check something like Firebug and examine the form - you should see the input is oddly formed and maybe some extra characters drawn after it.
始终对 PHP 值使用 htmlentities() 或其他类似的转义帮助函数在直接在 HTML 中回显它们之前.总是.
Always use htmlentities() or other similar escape helper functions on PHP values before echoing them directly in HTML. Always.
例子:
<form action="" method="post">
First name<br><input type="text" name="fname" value="<?php echo htmlentities( $user['fname'], ENT_COMPAT, 'UTF-8' ); ?>">
Last name: <br><input type="text" name="lname" value="<?php echo htmlentities( $user['lname'], ENT_COMPAT ); ?>">
<input type="submit">
</form>
关于您声称如果我删除表单值中的引号,它正在使用引号进行更新",我认为这意味着您使用单引号而不是双引号设置 HTML 元素属性值-引号,它真的根本不起作用.
regarding your claim that "And it's working to update with quotes if I delete the quotes in the value of the form", which I take to mean you set your HTML element attribute values using single-quotes rather than double-quotes, it's really not working at all.
如果用户提交了带有单引号的值,它同样会破坏您的固定示例,因为值中的单引号会过早关闭您的 HTML 元素属性值声明.使用双引号来声明 HTML 元素的属性值是最好的,但是如果您在构建 HTML 元素时选择使用单引号,那么在 PHP 中,使用 htmlentities($string, ENT_QUOTES)
.
If the user submitted a value with single quotes, it would similarly break your fixed example because a single quote in the value will prematurely close your HTML element attribute value declaration. Using double-quotes to declare an HTML element attribute value is best, but if you choose to use single quotes when you build the HTML element, then in PHP, use htmlentities($string, ENT_QUOTES)
.
请阅读 htmlentities
手册页,以确保您正确使用它.
Do study the htmlentities
manual page though to make sure you're using it properly.
相关文章