1. 首页
  2. 问答
  3. 我的数据库详细信息无法显示在php

我的数据库详细信息无法显示在php

2011-12-29 80 views
0

这是我的代码显示我的数据库(member_details)用户注册后,但在数据库中我有一个正在被注入JavaScript的行。我的数据库详细信息无法显示在php

<script>window.location="http://google.com"</script>

当我在浏览器中查看脚本时,它将用户重定向到google.com。

<?php 
     session_start(); 
     include ('includes/database_connection.inc.php'); 
    $conn = connectDatabase(); 

     if($_SESSION['uid'] == ''){ 
     // redirect unauthenticate user to login page. 
     header('Location: login.php'); 
     } 

     if($_GET['task'] == 'delete' && $_GET['id'] != ''){ 
      // delete function here 
     $sql="DELETE FROM Newest Where ID='".mysql_real_escape_string($_GET['id'])."'"; 

     mysql_query($sql,$conn); 
     header('Location: member_list.php'); 
     } 

     if($_POST['Logout']){ 
     session_destroy(); 
     header('Location: login.php'); 
    } 

    ?> 

    <html><head><title>Member Details</title> 
    </head> 
    <body> 
    <div style=" margin: 350px "> 
    <?php 


      $sql="SELECT * FROM Newest"; 
      $rs = mysql_query($sql,$conn) 
      or die(mysql_error()); 


     $list = "<table border=\"1\" cellpadding= \"2\">"; 
     $list .= "<tr><th>First Name</th>"; 
     $list .="<th>Last Name</th>"; 
     $list .= "<th>User Name</th>"; 
     $list .= "<th>Email</th>"; 
     $list .= "<th>Edit User</th>"; 
     $list .= "<th>Delete User</th>"; 
     $list .= "<th>Change Password</th>"; 


    While($row = mysql_fetch_array($rs)) { 

     $list .= "<tr>"; 
     $list .= "<td>".$row["name"]."</td>"; 
     $list .= "<td>".$row["last"]."</td>"; 
     $list .= "<td>".$row["user"]."</td>"; 
     $list .= "<td>".$row["email"]."</td>"; 
     $list .= "<td><a href='member_details.php?id=".$row['ID']."'>Edit</a></td>"; 
     $list .= "<td><a onclick='return confirm(\"Are you sure to delete ".$row["name"]." \")' href='member_list.php?id=".$row["ID"]."&task=delete'>Delete</a></td>"; 
     $list .= "<td><a href='Password.php?id=".$row['ID']."'>Click Here</a></td> 
     </tr>"; 

    } 
     $list .= "</table>"; 
     echo ($list); 

    ?> 
     <form method="post" action="member_list.php"><br> 
     <div style="margin : 0px 600px"> 
     <style type="text/css"> 
    body {background:#F5F5F5 url('http://images.apple.com/downloads/dashboard/travel/images/traveltodolist_20070724165034.jpg') no-repeat top;; 

      }</style> 


      <input type="submit" name="Logout" value="logout" /> 

      </form> 
    </body> 
    </html>

来源

2011-12-29 whywhy

+0

在输出时保证数据安全 - http://php.net/manual/en/function.htmlspecialchars.php – JohnP 2011-12-29 04:53:16

回答

0

您需要在将数据插入到数据库之前过滤数据。一个基本使用:mysql_real_escape_string

在拿从数据库中使用您的记录:strip_tags

使这种标签剥去。 希望它有帮助

来源

2011-12-29 04:46:07

 相关问题

  • 暂无相关问题^_^