我创建了迷你内容管理系统.现在有几个问题
I've created mini content management system. Now got afew questions
我正在过滤具有以下功能的帖子
I'm filtering posts with following function
function filter($data, $db) { $data = trim(htmlentities(strip_tags($data))); if (get_magic_quotes_gpc()) $data = stripslashes($data); $data = $db->escape_string($data); return $data; }PHP 代码看起来像那样
And the PHP code looks like that
$name=filter($_POST['name'], $db); $title=filter($_POST['title'], $db); $parent=filter($_POST['parent'],$db); $switch=filter($_POST['switch'], $db); if($switch=''){ echo "Return back and select an option"; die(); } $parentcheck=filter($_POST['parentcheck'],$db); if($parentcheck=='0') { $parent=$parentcheck; } $purifier = new HTMLPurifier(); $content = $db->real_escape_string( $purifier->purify( $_POST['content']) ); if(isset($_POST['submit'])&&$_POST['submit']=='Ok'){ $result=$db->query("INSERT INTO menu (parent, name, showinmenu) VALUES ('$parent', '$name', '$switch'") or die($db->error); $result2=$db->query("INSERT INTO pages (id, title, content) VALUES ('<what?>', '$title', '$content'") or die($db->error); }这就是我的桌子的样子
名为pages"的表
和菜单"
我的问题如下:
我正在尝试从 menu 表中获取自动递增的 id 值('$parent', '$name', '$switch'") 插入并在 pages 表中设置此 id在插入 ($title, $content) 时.怎么做?单人可以吗查询?
I'm trying to get autoincremented id value from menu table after ('$parent', '$name', '$switch'") insertion and set this id in pages table while inserting ($title, $content). How to do it? Is it possible with single query?
$content 的值是带有 HTML 标签的文本.我正在使用 html 净化器.在插入数据库表之前,我也可以过滤它的值吗?任何建议/忠告?
$content's value is the text with HTML tags. I'm using html purifier. May I filter it's value too before inserting into db table? Any suggestion/advice?
推荐答案看起来您正在使用 mysqli 作为数据库库,因此您可以使用 $db->insert_id() 以检索由该特定数据库句柄的插入操作创建的 LAST id.所以你的查询会变成:
Looks like you're using mysqli as the DB library, so you can use $db->insert_id() to retrieve the LAST id created by an insert operation by that particular DB handle. So your queries would become:
$result=$db->query("INSERT INTO menu (parent, name, showinmenu) VALUES ('$parent', '$name', '$switch'") or die($db->error); $new_id = $db->insert_id(); $result2=$db->query("INSERT INTO pages (id, title, content) VALUES ($new_id, '$title', '$content'") or die($db->error); ^^^^^^^您无法在单个查询中真正做到这一点,因为在查询完成之前,mysql 不会为 insert_id 函数提供 ID 值.因此,您必须分 3 个步骤执行此操作:插入、获取 id、再次插入.
You can't really do it in a single query, as mysql does not make the ID value available for the insert_id function until AFTER the query completes. So you do have to do this in a 3 step process: insert, get id, insert again.
数据库过滤的规则(更好地称为转义)是转义用户提供的任何内容.这甚至包括您在其他数据库查询中检索并重新插入的数据.转义并不是真正的安全措施——它是为了确保您放入查询字符串的任何内容都不会破坏查询.防止 SQL 注入攻击只是这个的副作用.
The rule for DB filtering (better known as escaping) is to escape ANYTHING that's user-provided. This even includes data you've retrieve in other db queries and are re-inserting. Escaping isn't really there as a security measure - it's there to make sure that whatever you're putting into the query string doesn't BREAK the query. Preventing SQL injection attacks is just a side effect of this.
更多推荐
一次将值插入到多个 MySQL 表中
发布评论