新手需要源码的可以下载htdocs
首先,对于SQL的操作方式,使用的是PDO方式;
其次,转义HTML的符号.使用htmlspecialchars()方法.(也可以使用htmlentities()的方法,但该方法会把htmlentities()里面的中文乱码化.)
首先是首页:index.php
<?php
$config=”config.php”;
if(file_exists($config))
{
require_once ‘main.php’;
}
else
{
echo “<script>setTimeout(\”this.location=’install.php’\”,0);</script>”;
}
/******************************************************************/
接着进入安装的表单install.php
<?php
header(“Content-Type:text/html;charset=utf-8”);
$config=’config.php’;
if(file_exists($config))
//如果配置文件存在,表示已经安装成功
//如果要重新安装,删除config.php文件即可.
{
echo “配置文件已存在,请删除删除config.php文件进行重新安装.”;
echo “<script>setTimeout(\”this.location=’index.php’\”,2000);</script>”;
exit;
}
$os = (DIRECTORY_SEPARATOR==’\\’)?”windows”:”linux”;
if($os==’linux’)
{
echo “<center>您的系统为linux请开启777权限,否则无法写入配置文件.</center>”;
}
?>
<html>
<title>数据库配置向导</title>
<body>
<form method=”post” action=”installsql.php”>
<table width=”400″ align=”center”>
<tr>
<td>MYSQL数据库地址:</td>
<td><input name=”adder” type=”text” size=”30″ maxlength=”500″ value=”localhost”></td>
</tr>
<tr>
<td>MYSQL数据库帐号:</td>
<td><input name=”user” type=”text” size=”30″ maxlength=”500″ value=”root”></td>
</tr>
<tr>
<td>MYSQL数据库密码:</td>
<td><input name=”password” type=”password” size=”30″ maxlength=”500″></td>
</tr>
<tr>
<td>数据库名称:</td>
<td><input name=”dbname” type=”text” size=”30″ maxlength=”500″ value=”数据库名称”></td>
</tr>
<tr>
<td>数据表名称:</td>
<td><input name=”dbtable” type=”text” size=”30″ maxlength=”500″ value=”数据表名称”></td>
</tr>
</table>
<div align=”center”>
<input type=”submit” value=”安装”>
</div>
</form>
</body>
</html>
/******************************************************************/
进行SQL写入:
installsql.php
<?php
header(“Content-Type:text/html;charset=utf-8”);
date_default_timezone_set(‘Asia/Shanghai’);
$config=’config.php’;
if(file_exists($config))
{
echo “配置文件已存在,程序已成功安装.”;
echo “<script>setTimeout(\”this.location=’index.php’\”,2000);</script>”;
exit;
}
$hostname=$_POST[“adder”];
$sqluser=$_POST[“user”];
$sqlpassword=$_POST[“password”];
$con = mysql_connect($hostname,$sqluser,$sqlpassword);
if(!$con)
{
die(‘无法连接: ‘ .mysql_error());
exit;
}
$dbname=$_POST[“dbname”];
$dbtable=$_POST[“dbtable”];
if(!mysql_select_db($dbname,$con))
{
mysql_query(“set character set ‘utf8′”);
mysql_query(“set names ‘utf8′”);
$newdbname=”CREATE DATABASE $dbname”;
mysql_query($newdbname);
$ip=$_SERVER[“REMOTE_ADDR”];
$time=date(“Y-m-d H:i:s”);
mysql_select_db($dbname,$con);
mysql_query(“CREATE TABLE $dbtable(id int primary key auto_increment,text text(1024),name varchar(128),time varchar(64),ip varchar(32))”);
mysql_query(“INSERT INTO $dbtable (text,name,time,ip)VALUES(‘我是内容我是内容哦’,’管理员’,’$time’,’$ip’)”);
$f1='”‘;$f2=’;’;
$counter_file = ‘config.php’;
$fopen=fopen($counter_file,’wb’);
fputs($fopen,”<?php”.”\n”);
fputs($fopen,”\$dbtable=”.$f1.”$dbtable”.$f1.$f2.”\n”);
fputs($fopen,”\$pdo=new PDO (“.$f1.”mysql:host=”.$hostname.$f2.”dbname=”.”$dbname”.$f2.”charset=utf8″.$f1.”,”.$f1.$sqluser.$f1.”,”.$f1.$sqlpassword.$f1.”)”.$f2.”\n”);
fputs($fopen,”?>”);
fclose($fopen);
echo “<script>setTimeout(\”this.location=’index.php’\”,0);</script>”;
}
else
{
echo “数据库 $dbname 已存在”;
echo “</br>”;
echo “<a href=’install.php’>返回</a>”;
exit;
}
/******************************************************************/
在看安装好后生成的PDO连接
config.php
<?php
$dbtable=”数据表名称”;
$pdo=new PDO (“mysql:host=localhost;dbname=数据库名称;charset=utf8″,”root”,””);
?>
/******************************************************************/
/******************************************************************/
到此基本就配置完成了,接着是前端,首页包含了require_once ‘main.php’;
/******************************************************************/
我们看看main.php文件获取内容的方法及写入的表单
<?php
require_once ‘header.php’;
#require_once ‘footer.php’;
$sql=”SELECT *FROM $dbtable”;
$echotext=$pdo->prepare($sql);
$echotext->execute();
/*
while ($row=$echotext->fetch(PDO::FETCH_ASSOC))
{
echo $row[“id”].”</br>”; echo $row[“name”].”</br>”;
echo $row[“time”].”</br>”; echo $row[“text”].”</br>”;
echo $row[“ip”].”</br>”;
}
*/
?>
<table align=”center” width=”80%” border=”2″>
<?php
$o=0;
foreach ( $pdo->query($sql) as $row)
{
$o++;
?>
<tr height=”30xp”><td style=”height:80px;width:20%;” >留言内容</td><td colspan=”3″ width=”60%”><?php echo $row[“text”] ?></td></tr>
<tr><td width=”20%”>楼层</td><td width=”20%”>名字</td><td width=”20%”>时间</td><td width=”20%”>IP</td></tr>
<tr><td>第<?php echo $o; ?>楼<td><?php echo $row[“name”] ?></td><td><?php echo $row[“time”] ?></td><td><?php echo $row[“ip”]?></td></tr>
<tr><td colspan=”4″ width=”60%”><center><?php echo “*****我是分割线*****”;?></center></td></tr>
<?php
};
?>
<form method=”post” action=”wordtext.php”>
<tr><td>请输入名字</br><input name=’username’ type=’text’ size=’30’style=”width:100%;height:30px;” maxlength=’100′ value=”></td><td colspan=”3″>
<textarea name=”word” style=”height:80px;width:100%;resize: none;” maxlength=’3000′>
</textarea></td></tr>
<tr><td colspan=”4″ align=”center”><input type=”submit” value=”我也要留言”></td></tr>
</form>
</table>
/******************************************************************/
这里包含了一个header.php文件,其实这不需要起用sission
<?php
header(“Content-Type:text/html;charset=utf-8″);
date_default_timezone_set(‘Asia/Shanghai’);
require_once ‘config.php’;
require_once ‘class.php’; #包含所有类文件
$gotoindex=”<script>setTimeout(\”this.location=’index.php’\”,2000);</script>”;
if(!isset($_SESSION))
{
session_start(); //启用SESSION
}
?>
<marquee scrollAmount=2 width=100% onmouseover=stop() onmouseout=start()>
我的留言板</marquee></br>
/******************************************************************/
然后看留言POST的页面:wordtext.php
<?php
require_once ‘header.php’;
if(is_array($_POST)&&count($_POST)>0)
{
if((isset($_POST[“username”])&&!empty($_POST[“username”]))&&(isset($_POST[“word”])&&!empty($_POST[“word”])))
{
$name=$_POST[“username”]; $text=$_POST[“word”];
$newword=new New_Word; #实例化留言插入数据类
if(($newword->new_word_sql($name,$text))==0) //给new_word_sql函数传值,判断返回值是否为0;
{
echo “留言成功”;echo $gotoindex;
}
else
{echo “错误!”;}
}
else
{
echo “请完整填写”;echo $gotoindex;
}
}
else
{
echo “存在空值”;
echo $gotoindex;
};
/******************************************************************/
接下来就是重点了,class.php文件是如何做安全的.
<?php
require_once ‘config.php’;
class New_Word
{
private $username;
private $usertext;
function new_word_sql($name,$text) #新增留言名字和内容处理
{
global $pdo;
global $dbtable;
/*获取config.php文件里的PDO配置*/
$ip=$_SERVER[“REMOTE_ADDR”];
$time=date(“Y-m-d H:i:s”);
$this->username=htmlspecialchars($name);$this->usertext=htmlspecialchars($text);
#私有名字和留言内容进行html转义,以防出现XSS攻击漏洞.
if((strlen($this->username)>=6&&strlen($this->username)<=20)&&(strlen($this->usertext)>=10&&strlen($this->usertext)<=200))#判断长度
{
$sql=”insert into $dbtable(text,name,time,ip)values(‘$this->usertext’,’$this->username’,’$time’,’$ip’)”;
$intosql=$pdo->prepare($sql); #sql预处理
$intosql->execute(); #执行插入sql语句
return 0;
}
else
{
echo “名字要求>6,<20字符;留言要求>10,<200字符”;
echo “<script>setTimeout(\”this.location=’index.php’\”,2000);</script>”;//exit;
}
}
}
关于作者