[英]PHP AJAX call to MySQL database. How to properly escape HTML data returned (json_encode) to page?
My database contains records with included HTML scripting tags. 我的数据库包含带有包含的HTML脚本标记的记录。 I have read many different options on how to handle this scenario while also using json_encode/AJAX. 我已经阅读了许多有关如何在使用json_encode / AJAX的情况下如何处理这种情况的选项。
Should I use a JS function to escape special characters client side or might there be a PHP solution I'm missing? 我应该使用JS函数来转义客户端的特殊字符,还是可能缺少我缺少的PHP解决方案?
Edit Assumption: The user does not want to strip/remove the html tags, just wants a way or a suggestion in to encoding them either on the server or client side! 编辑假设:用户不想剥离/删除html标签,只想在服务器或客户端对它们进行编码的方法或建议!
PHP (process.php): PHP(process.php):
$records = array();
if($results = $db->query("SELECT * FROM cust_tbl")) {
if($results->num_rows) {
while($row = $results->fetch_object()) {
$records[] = $row;
}
echo json_encode($records);
$results->free();
}
}
AJAX: AJAX:
function show() {
clear();
$.ajax({
type: "POST",
dataType: "json",
url: "process.php",
data: "action=show",
success: function(data) {
$.each(data, function(index, data) {
$('#tablebody').append('<tr>');
$('#tablebody').append('<td>' + data.JL_JOB_DATE + '</td>');
$('#tablebody').append('<td>' + data.JL_YR + '</td>');
$('#tablebody').append('</tr>');
});
}
});
}
If you are looking to encode HTML to be sent: you can use htmlentities()
如果您希望对要发送的HTML进行编码:可以使用htmlentities()
If you are looking to remove the html tags and just leave the text: use strip_tags()
如果您要删除html标记并只保留文本,请使用strip_tags()
UPDATE: 更新:
I noticed in your $.each
you have 2 arguments you are using data
for. 我在您的$.each
注意到, $.each
都有2个用于data
参数。 In a $.each
what i typically do is this: 在$.each
,我通常这样做的是:
$.each(data, function() {
//use data.<column name>
});
Unless you really need the index of your data i suggest leaving it out for readability. 除非您真的需要数据索引,否则建议您将其保留以提高可读性。 Documentation on $.each
can be found here . $.each
文档可以在这里找到 。
Also, try doing your full append all at once. 另外,请尝试一次完成全部附加操作。
$.each(data, function() {
$('#tablebody').append( '' +
'<tr>' +
'<td>' + data.<column name> + '</td>' +
'<td>' + data.<column name> + '</td>' +
'</tr>' +
'');
});
Doing it your way basically creates a new row then adds table datas to the end of the table instead of specifically in the tr
you want it in. 按照您的方式进行操作,基本上会创建一个新行,然后将表数据添加到表的末尾,而不是专门在所需的tr
中添加。
use php strip_tags($records); 使用php strip_tags($ records);
http://www.w3schools.com/Php/func_string_strip_tags.asp http://www.w3schools.com/Php/func_string_strip_tags.asp
Use underscore.js 使用underscore.js
escape_.escape(string)
Escapes a string for insertion into HTML, replacing &, <, >, ", and ' characters.
_.escape('Curly, Larry & Moe');
=> "Curly, Larry & Moe"
Added function to my code: 在我的代码中添加了功能:
$.each(data, function(index, data) {
$('#tablebody').append('<tr>');
$('#tablebody').append('<td>' + escape(data.JL_JOB_DATE) + '</td>');
$('#tablebody').append('<td>' + escape(data.JL_YR) + '</td>');
$('#tablebody').append('</tr>');
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.