PHP——安全查询数据

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <title></title>
    <meta charset="UTF-8">
</head>
<body>
<h1>Add a Blog Entry</h1>
<?php
    if(isset($_POST['submitted'])){ //处理表单。

        //连接服务器并选中数据库：
        $dbc = mysql_connect('localhost','username','password');
        mysql_select_db('mybolg',$dbc);

        //验证表单数据并确保安全：
        $problem = FALSE;
        if(!empty($_POST['title']) && !empty($_POST['entry'])){
            $title = mysql_real_escape_string(trim(strip_tags($_POST['title'])),$dbc);
            $entry = mysql_real_escape_string(trim(strip_tags($_POST['entry'])),$dbc);
        }else{
            echo '<p style="color: red;">Please submit both a title and an entry.</p>';
            $problem = TRUE;
        }
        if(!$problem){

            //定义查询：
            $query = "INSERT INTO entries(entry_id,title,entry,date_entered) VALUE
            (0,'$title','$entry',NOW())";

            //执行查询
            if(@mysql_query($query,$dbc)){
                echo '<p>The blog entry has been added!</p>';
            }else{
                echo '<p style="color: red;">Could not add the entry because:<br/>'.
                mysql_error($dbc).'.</p><p>The query being run was:'.$query.'</p>';
            }
        }//一切正常！
        mysql_close($dbc);  //关闭连接。
    }   //结束提交条件语句。

//显示表单：
?>
<form action="add_entry1.php" method="post">
    <p>Entry Title: <input type="text" name="title" size="40" maxlength="100" /></p>
    <p>Entry Text: <textarea name="entry" cols="40" rows="5"></textarea></p>
    <input type="submit" name="submit" value="Post This Entry!" />
    <input type="hidden" name="submitted" value="true" />
</form>
</body>
</html>