单引号和双引号问题
[英]Single and Double Quotes Problems
问题描述
I was struggling with escaping double and single quotes with addslashes() and stripslashes()... in a mini web application that just inserts values and retrieves those values back out in a form to edit, and a general page to view the attributes. 
在一个迷你Web应用程序中,我只是想用addlashes()和stripslashes()来转义双引号和单引号,而这只是一个插入值并以表单形式检索出来的值,以供编辑,还有一个用于查看属性的常规页面。 Finally I settled on this function to change single and double quotes: 最后,我决定使用此函数来更改单引号和双引号:
function fixQuotes($string) {
$string = str_replace("'", ''', $string);
$string = str_replace('"', '"', $string);
return $string;
}
Since I don't have any details for you as for what was happening before using this method, I can't really ask what was wrong. 由于在使用此方法之前,我没有任何细节可知,所以我不能真正问出什么地方出了问题。 Rather, I would like to know if there are any drawbacks of using this function to replace single and double quotes with the html entities. 相反,我想知道使用此函数用html实体替换单引号和双引号是否有任何缺点。
1 个解决方案
解决方案1
4 已采纳 2013-10-08 06:13:57
You can't just magically "fix" quotes without knowing where the data is going to. 您不能仅凭魔术般地“修复”引号,而不必知道数据将去向何处。
When you insert data into a database, escape it with the database API's escape function.
将数据插入数据库时,请使用数据库API的转义功能对其进行转义。 If you're using the legacy MySQL API (which you should not be in new code as it is deprecated), use mysql_real_escape_string . 如果您使用的是旧版MySQL API(不推荐使用,因为它不建议使用新代码),请使用mysql_real_escape_string 。 If you're using the MySQL-improved API, use mysqli_real_escape_string . 如果您使用的是MySQL改进的API,请使用mysqli_real_escape_string 。 If you're using PDO, use bindValue , or execute with the input_parametersparameter, or quote .如果您使用PDO,使用bindValue ,或执行与input_parameters参数或引用 。When you echo text to an HTML page, use htmlspecialchars .
当您将文字回显到HTML页面时,请使用htmlspecialchars 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.