//int GET的資料
if (isset($_GET['is_id']) ) {
$is_id = (int) $_GET['is_id'];
//資料庫插入檢測是否有不合法字
foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); }
//計算筆數
$cr = mysql_query("SELECT COUNT(nil_id) FROM tr_noti_list Where nid = $nid");
$cr = mysql_fetch_row($cr);
$list_c = $cr[0];
// sql 關聯查詢
$sql = <<
SELECT ci.license, ci.cid, ci.did as driver_code, ci.office_exp, ci.cc, ci.fuelTax, ci.licenseTax, dr.name as driver, com.name as com_name
FROM tr_car_inf ci, tr_driver dr, tr_company com
WHERE ci.cid = com.cid
AND ci.did = dr.did
ORDER BY `dr`.`name` ASC
sql;
$result = mysql_query($sql) or trigger_error(mysql_error());
while($row = mysql_fetch_array($result)){
foreach($row AS $key => $value) { //if ($value == null) $value = " ";
$row[$key] = stripslashes($value);
}
}
//表單傳送控制,方便整理
if (isset($_POST['submitted'])) {
}
<input type='hidden' value='1' name='submitted' />
PHP陣列轉成文字檔
//轉成文字並用base64加密
$ni_list = base64_encode(serialize($all_list));
//轉回陣列
$all_list = unserialize(base64_decode($all_list));
相關問題處理,轉貼自http://cychiang719.blogspot.com/2009/03 /phpserializeunserialize.html
由於要顯示在textbox裡,用上述方法還是會有漏洞
試了很久,下面這順序應該是比較理想
1.寫入資料庫時,只做 urlencode(若要使用addslashes,則在這之前)
例:$a=urlencode(addslashes($text));
2.前端顯示時,則先解開,然後將slashes去掉,再用htmlspecialchars
例:$a=htmlspecialchars(stripslashes(urldecode($dbValue)));
//擷取字串中的幾個字
substr($word,0,6);
//組合式陣列去除陣列最後一筆(例如用||區分,因為加到最後一筆以後,使用explode最後一筆陣列會是空。
$records = explode('||', $_POST['postdata']);
$nou = array_pop($records); //切割後最右邊是空,所以拿掉
//處理陣列 (單引號處理掉,防止sql注入)
//也就是將POST的資料全部使用mysql_real_escape_string處理過組成$des新陣列。
$des = $_POST;
foreach ($_POST as $k=>$v) {
$des[$k] = mysql_real_escape_string($v);
}
//用來看陣列資料
foreach($des as $key_name => $value) {
echo $key_name . " = " . $value . "<br>";
}
留言列表
