Ben onlar HTML veri gönderebilirsiniz olamaz yani veri kullanıcıları web sitemdeki formları aracılığıyla göndermek güvenli çalışıyorum. Ben şu çalışıyorum ama test ettiğinde, ben hala HTML veri göndermek mümkün değilim ve ben girmiş gibi DB yazar ve ben DB okurken HTML görüntüler.
if (isset($_POST['submit'])) {
if ( strlen($_POST['topictitle']) < 10 ) {
$errors .= "<div>You topic title must be 10 characters or longer!</div>";
} else {
$thread_title = mysqli_real_escape_string($db_connect, trim($_POST['topictitle']));
}
if ( strlen($_POST['content']) < 10 ) {
$errors .= "<div>You message must be 10 characters or longer!</div>";
} else {
$content = mysqli_real_escape_string($db_connect, $_POST['content']);
}
if (isset($errors)) {
$error_message = "<div class=\"error_box\">$errors</div>";
$smarty->assign ('error_message', $error_message);
} else {
$thread_sql = "
INSERT INTO forum_threads (
user_id,
forum_id,
thread_postdate,
thread_lastpost,
thread_title,
thread_description,
thread_icon
) VALUES (
'$_SESSION[user_id]',
'$_GET[f]',
'$date',
'$date',
'$thread_title',
IF('$_POST[topicdescription]'='',NULL,'$_POST[topicdescription]'),
IF('$_POST[posticon]'='NULL',NULL,'$_POST[posticon]')
)
";
$thread_query = @mysqli_query ($db_connect, $thread_sql);
$select_thread_sql = "
SELECT
thread_id
FROM
forum_threads
WHERE
thread_id = LAST_INSERT_ID()
";
$select_thread_query = @mysqli_query ($db_connect, $select_thread_sql);
$select_thread = mysqli_fetch_assoc($select_thread_query);
$thread_id = $select_thread['thread_id'];
$post_sql = "
INSERT INTO forum_posts (
user_id,
thread_id,
post_message,
post_date
) VALUES (
'$_SESSION[user_id]',
'$thread_id',
'$content',
'$date'
)
";
$post_query = @mysqli_query ($db_connect, $post_sql);
$url = $url . "forum.php?t=" . $thread_id;
header("Location: $url");
exit();
}
}