I have a cms that I am working on for a client, he wants to add a code textbox so he can paste special code for pages on a page by page basis. So, I need to be able to give the user a way to input javascript tags into a page they are editing. When that page loads, the java code will show and run.
我有一个我正在为客户工作的cms,他想添加一个代码文本框,这样他就可以逐页粘贴页面的特殊代码。因此,我需要能够为用户提供一种方法,将javascript标签输入到他们正在编辑的页面中。当该页面加载时,java代码将显示并运行。
For example, Facebook code - it would be pasted into this code textarea and saved in the mysql database.
例如,Facebook代码 - 它将粘贴到此代码textarea并保存在mysql数据库中。
Note - the site is still using mysql_query and has not been converted, client has been told but they have no interest in updating so need the example done in mysql_query.
注意 - 该站点仍在使用mysql_query并且尚未转换,客户端已被告知,但他们没有兴趣更新,所以需要在mysql_query中完成的示例。
<script type="text/javascript">(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
How can I safely save this to the database without breaking the javascript?
如何在不破坏javascript的情况下将其安全地保存到数据库中?
thanks!
谢谢!
2 个解决方案
#1
1
Don't use mysql_real_escape_string
It's a step in the right direction but is not perfect. You need to use parameterised queries
这是朝着正确方向迈出的一步,但并不完美。您需要使用参数化查询
eg...
例如...
$stmt = $dbh->prepare("INSERT INTO snippets (url, snippet) VALUES (:url, :snippet)");
$stmt->bindParam(':url', $url);
$stmt->bindParam(':snippet', $snippet);
// insert one row
$url = '/path/to/page';
$snippet = "<script type=\"text/javascript\">/*Your Javascript goes here*/</script>";
// OR
$snippet = $_REQUEST['Snippet'];
$stmt->execute();
#2
1
If you use mysql_real_escape_string you should be able to escape any characters that would otherwise mess with you query.
如果你使用mysql_real_escape_string,你应该能够转义任何会破坏你查询的字符。
$jsData = $_POST['jsData'];
"Insert into yourTable (someColumn) VAlUES('" . mysql_real_escape_string($jsData) . "')";
After having a little chat with @Basic, I am going to point out to you that I strongly suggest you consider switching over to mysqli or pdo as these two classes will provide you with a safer way to query your database, and possibly even a faster way to do so.
在与@Basic聊聊之后,我将向您指出我强烈建议您考虑切换到mysqli或pdo,因为这两个类将为您提供更安全的查询数据库的方式,甚至可能更快这样做的方式。
#1
1
Don't use mysql_real_escape_string
It's a step in the right direction but is not perfect. You need to use parameterised queries
这是朝着正确方向迈出的一步,但并不完美。您需要使用参数化查询
eg...
例如...
$stmt = $dbh->prepare("INSERT INTO snippets (url, snippet) VALUES (:url, :snippet)");
$stmt->bindParam(':url', $url);
$stmt->bindParam(':snippet', $snippet);
// insert one row
$url = '/path/to/page';
$snippet = "<script type=\"text/javascript\">/*Your Javascript goes here*/</script>";
// OR
$snippet = $_REQUEST['Snippet'];
$stmt->execute();
#2
1
If you use mysql_real_escape_string you should be able to escape any characters that would otherwise mess with you query.
如果你使用mysql_real_escape_string,你应该能够转义任何会破坏你查询的字符。
$jsData = $_POST['jsData'];
"Insert into yourTable (someColumn) VAlUES('" . mysql_real_escape_string($jsData) . "')";
After having a little chat with @Basic, I am going to point out to you that I strongly suggest you consider switching over to mysqli or pdo as these two classes will provide you with a safer way to query your database, and possibly even a faster way to do so.
在与@Basic聊聊之后,我将向您指出我强烈建议您考虑切换到mysqli或pdo,因为这两个类将为您提供更安全的查询数据库的方式,甚至可能更快这样做的方式。