//int GET的資料
if (isset(_GET['is_id']) ) {
is_id = (int) _GET['is_id'];
//資料庫插入檢測是否有不合法字
foreach(_POST AS key => value) { _POST[key] = mysql_real_escape_string(value); }
//計算筆數
cr = mysql_query("SELECT COUNT(nil_id) FROM tr_noti_list Where nid = nid");
cr = mysql_fetch_row(cr);
list_c = cr[0];
// sql 關聯查詢
sql = <<
SELECT ci.license, ci.cid, ci.did as driver_code, ci.office_exp, ci.cc, ci.fuelTax, ci.licenseTax, dr.name as driver, com.name as com_name
FROM tr_car_inf ci, tr_driver dr, tr_company com
WHERE ci.cid = com.cid
AND ci.did = dr.did
ORDER BY `dr`.`name` ASC
sql;
result = mysql_query(sql) or trigger_error(mysql_error());
while(row = mysql_fetch_array(result)){
foreach(row AS key => value) { //if (value == null) value = " ";
row[key] = stripslashes(value);
}
}
//表單傳送控制,方便整理
if (isset(_POST['submitted'])) {
}
<input type='hidden' value='1' name='submitted' />
PHP陣列轉成文字檔
//轉成文字並用base64加密
ni_list = base64_encode(serialize(all_list));
//轉回陣列
all_list = unserialize(base64_decode(all_list));
相關問題處理,轉貼自http://cychiang719.blogspot.com/2009/03 /phpserializeunserialize.html
由於要顯示在textbox裡,用上述方法還是會有漏洞
試了很久,下面這順序應該是比較理想
1.寫入資料庫時,只做 urlencode(若要使用addslashes,則在這之前)
例:a=urlencode(addslashes(text));
2.前端顯示時,則先解開,然後將slashes去掉,再用htmlspecialchars
例:a=htmlspecialchars(stripslashes(urldecode(dbValue)));
//擷取字串中的幾個字
substr(word,0,6);
//組合式陣列去除陣列最後一筆(例如用區分,因為加到最後一筆以後,使用explode最後一筆陣列會是空。
records = explode('', _POST['postdata']);
nou = array_pop(records); //切割後最右邊是空,所以拿掉
//處理陣列 (單引號處理掉,防止sql注入)
//也就是將POST的資料全部使用mysql_real_escape_string處理過組成des新陣列。
des = _POST;
foreach (_POST as k=>v) {
des[k] = mysql_real_escape_string(v);
}
//用來看陣列資料
foreach(des as key_name => value) {
echo key_name . " = " . value . "<br>";
}
