dowith_sql($xz); $xz=strip_tags($xz); //$xz="白羊"; $conn=mysql_connect("10.103.33.132","content","content2pub") or die("连接数据库失败,请检查数据库配置信息!"); //设置字符编码为GB2312 mysql_query(" SET NAMES gbk"); //选择数据库 mysql_select_db("lady") or die("不能连接到指定的数据库"); $date1=date("Y-m-d",time()-7*24*60*60); $date2=date("Y-m-d"); $sql="select * from xzyuns where xz='$xz' and xzwkdate>'$date1' and xzwkdate<='$date2'"; //echo $sql; $rs=$db->query($sql); while($row=$db->fetch_array($rs)){ $title=$row['title']; $maintext=$row['content']; $date=$row['xzwkdate']; $xz=$row['xz']; $pic=$row['pic']; } $xz1=$xz."座"; $sql_r="select riq from 12xz where xz='$xz1'"; //echo $sql_r; $rs_r=$db->query($sql_r); while($row_r=$db->fetch_array($rs_r)){ $riq=$row_r['riq']; } //echo $title; require_once _ROOT.'include/template.class.php'; $manager = new TemplateManager(); $tproc = new TemplateProcessor(); $tproc->set('title', $title); $tproc->set('maintext', $maintext); $tproc->set('date', $date); $tproc->set('xz', $xz); $tproc->set('pic', $pic); $tproc->set('riq', $riq); $template =& $manager->prepare(_ROOT.'/template/detail-tmpl201110_yuns.html'); echo $tproc->process($template); mysql_close($conn); exit; class sqlin { //dowith_sql($value) function dowith_sql($str) { $str = str_replace("and","",$str); $str = str_replace("execute","",$str); $str = str_replace("update","",$str); $str = str_replace("count","",$str); $str = str_replace("chr","",$str); $str = str_replace("mid","",$str); $str = str_replace("master","",$str); $str = str_replace("truncate","",$str); $str = str_replace("char","",$str); $str = str_replace("declare","",$str); $str = str_replace("select","",$str); $str = str_replace("create","",$str); $str = str_replace("delete","",$str); $str = str_replace("insert","",$str); $str = str_replace("'","",$str); $str = str_replace('"',"",$str); $str = str_replace('\\',"",$str); $str = str_replace(" ","",$str); $str = str_replace("or","",$str); $str = str_replace("=","",$str); $str = str_replace("%20","",$str); $str = str_replace("alert","",$str); $str = str_replace("(","",$str); $str = str_replace(")","",$str); //echo $str; return $str; } function dowith_html($str){ if(!get_magic_quotes_gpc()){ $str=addslashes($str);//函数在指定的预定义字符前添加反斜杠。 } $str=strip_tags($str);//函数剥去 HTML、XML 以及 PHP 的标签。 return $str; } //aticle()防SQL注入函数//php教程 function sqlin() { foreach ($_GET as $key=>$value) { $_GET[$key]=$this->dowith_sql($this->dowith_html($value)); } foreach ($_POST as $key=>$value) { $_POST[$key]=$this->dowith_sql($this->dowith_html($value)); } } } ?>