Troxy Posted June 28, 2007 Report Share Posted June 28, 2007 (edited) <?php include("config.php"); $result = mysql_query("SELECT * FROM comments WHERE tb_serveri_id='$_GET[id]' ORDER BY id ASC"); while ($row = mysql_fetch_assoc($result)) { echo "<hr><B>Niks:</B> {$row['username']} <BR>"; echo "<B>Komentars:</B><BR><I>{$row['comment']}</I> </hr>"; ?> Ka pielietot manaa gadijumaa sho funkciju htmlspecialchars Vi arii es kluudos un ne tur domaju pielietot :| Edited June 28, 2007 by Troxy Link to comment Share on other sites More sharing options...
andrisp Posted June 28, 2007 Report Share Posted June 28, 2007 Dari šādi: echo "<hr><B>Niks:</B> ".htmlspecialchars($row['username'])." <BR>"; PS. Izmanto code tagu. Link to comment Share on other sites More sharing options...
hackerman Posted June 28, 2007 Report Share Posted June 28, 2007 Ēēem... par cik tur ar mysql, tur nevajadzētu labāk lietot mysql_real_escape_string ? Link to comment Share on other sites More sharing options...
andrisp Posted June 28, 2007 Report Share Posted June 28, 2007 hackerman, man gan liekas, ka viņš runā par to, kā izdrukāt datus iekš html. Link to comment Share on other sites More sharing options...
hackerman Posted June 28, 2007 Report Share Posted June 28, 2007 Nu labi. Bet kā piemēram šādā gadījumā rīkoties būtu labāk? Atļaut ierakstīt muiņas un tad tikai izsargāties, vai jau uzreiz piegirezt visu ? Es laikam piegireztu uzreiz. Bet tas tā... Link to comment Share on other sites More sharing options...
Troxy Posted June 28, 2007 Author Report Share Posted June 28, 2007 Man der paldies andrisp Link to comment Share on other sites More sharing options...
andrisp Posted June 28, 2007 Report Share Posted June 28, 2007 hackerman, mysql_real_escape_string un htmlspecialchars ir pavisam atšķirīgas fjas! mysql_real_escape aizsargā no sql injekcijām (tā eskeipo ' un " simbolus), bet htmlspecialchars (eskeip >, < un visādus tādus simbolus) no xss. Link to comment Share on other sites More sharing options...
Grey_Wolf Posted June 29, 2007 Report Share Posted June 29, 2007 bet htmlspecialchars (eskeip >, < un visādus tādus simbolus. htmlspecialchars Neko neeskeipo ... vienkarshi parversh simbolus kas ir speceviski HTMLam <>(utt. ) parversh par simbolu virkni ... ko brauzeris atpakal nogenere par <> ... piem: & --> & amp; < --> & lit; > --> & gt; --- turpretii mysql_real_escape ... tik tieeshaam esceipo.... Link to comment Share on other sites More sharing options...
andrisp Posted June 29, 2007 Report Share Posted June 29, 2007 Atvainojos, Grey_Wolf, izvēlējos nepareizo vārdu ātrumā. Link to comment Share on other sites More sharing options...
Kavacky Posted July 3, 2007 Report Share Posted July 3, 2007 andrisp, man šķiet, ka pirms šitā gan derētu eskeipot: "$result = mysql_query("SELECT * FROM comments WHERE tb_serveri_id='$_GET[id]' ORDER BY id ASC");" Un man šķiet, ka to arī viņš domāja, jo pričom eskeipot HTMLu. Link to comment Share on other sites More sharing options...
andrisp Posted July 3, 2007 Report Share Posted July 3, 2007 Nu reāli jau šajā kodā jāizmanto gan mysql_real..., gan htmlspecialchars. Un HTML eskeipot vajag, lai nepieļatu XSS. Link to comment Share on other sites More sharing options...
Recommended Posts