htmlspecialchars ENT_NOQUOTES不起作用?
[英]Htmlspecialchars ENT_NOQUOTES not working?
问题描述
I'm trying to output the name of a project ie "David's Project" in a form, if a user does not correctly input all data in the form, to save the user having to input the name again. 
如果用户未正确输入表单中的所有数据,我将尝试以表单形式输出项目的名称,即“ David's Project”,以节省用户不得不再次输入名称的麻烦。
If I var_dump $name I see David's project. 如果我var_dump $ name我看到了大卫的项目。 But if I echo $name I see David"'" Project. 但是,如果我回显$ name,我会看到David“&#39”项目。 I realise that ' (single quote) becomes "'"; 我意识到'(单引号)变为“&#039”; but I have tried using ENT_NOQUOTES and ENT_COMPAT to avoid encoding the single quote but neither works. 但我尝试使用ENT_NOQUOTES和ENT_COMPAT来避免对单引号进行编码,但均无效。
$name = trim(filter_input(INPUT_POST, 'name0', FILTER_SANITIZE_STRING));
<form method="post" class="form" />
Title: <input type="text" name="name0" value="<?php echo
htmlspecialchars($name, ENT_NOQUOTES); ?>">
Am I doing something wrong or should the ENT_NOQUOTES work? 我是在做错什么,还是ENT_NOQUOTES应该工作? I tried using str_replace to replace with ' with an \\' but this didn't work either. 我尝试使用str_replace替换为'带\\',但这也不起作用。
The only way round this I have found is to use this: 我发现的唯一方法是使用此方法:
htmlspecialchars_decode(htmlspecialchars($name, ENT_NOQUOTES));
Is that acceptable? 可以接受吗?
Sorry I realise this is probably a really stupid question but I just can't get my head around it. 抱歉,我意识到这可能是一个非常愚蠢的问题,但我始终无法解决。
Thanks for any replies. 感谢您的任何答复。
1 个解决方案
解决方案1
2 已采纳 2018-08-01 15:57:12
You can accept a simple answer if it solves your problem BUT you should really understand that what you have delved into is a much larger issue you or someone has created for you. 如果它可以解决您的问题,您可以接受一个简单的答案,但是您应该真正了解,您所研究的问题是您自己或某人为您创建的一个更大的问题。
- Databases should not contain HTML encoded characters unless they are specifically meant for storing HTML. 除非数据库专门用于存储HTML,否则数据库不应包含HTML编码的字符。 I highly doubt this is the case as it very rarely is. 我非常怀疑这种情况,因为这种情况很少发生。
- Someone is inserting HTML into your database (html encoding data on insert). 有人正在将HTML插入数据库中(插入时对HTML进行编码的数据)。 This means if you ever want to use a mobile app that is not HTML based, or a command line, or anything at all that might use the data and isn't HTML based, you are going to run into a weird problem where the HTML encoded characters have to be removed on output. 这意味着,如果您想使用不是基于HTML的移动应用程序,命令行,或者根本不使用基于HTML的任何内容的移动应用程序,那么您将遇到一个奇怪的问题,即HTML编码的字符必须在输出中删除。 This is typically kind of the backwards way to do it and can often cause issues. 这通常是一种倒退的方法,通常会导致问题。
- You rarely need to "sanitize" your inputs. 您很少需要“清理”您的输入。 If anything, you should reject input that is not allowed OR simply escape it in the proper way while inserting it into the database. 如果有的话,应该拒绝不允许的输入,或者在将其插入数据库时以适当的方式对其进行转义。 Sanitizing is only a thing in very special circumstances, which you don't appear to have right now. 消毒只是在非常特殊的情况下发生的事情,您现在似乎还没有。 You're simply inputting and outputting text. 您只需输入和输出文本。
- You should pretty much never change users input 您应该几乎永远不要更改用户输入
My suggestion, if possible, is to fix your INSERT code first so it isn't html encoding data. 我的建议是,如果可能的话,请先修复您的INSERT代码,以便它不是html编码数据。 This html encoding should happen when you output the data TO AN HTML FORMAT. 当您将数据输出到HTML格式时,应该发生这种html编码。 You would use htmlspecialchars() to do this. 您将使用htmlspecialchars()进行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.