使用PHP转义变量中的引号
[英]Escape quotes in a variable with PHP
问题描述
I use this code to genefate html 
我使用此代码来生成html
echo "<input type='button' onclick=\"myFunc('$param');\" />";
Everything would be OK unless $param contains ' or " character. How should it be implemented to handle these situations? 除非$ param包含'或"字符,否则一切都会好的。如何处理这些情况呢?
ps. PS。 mysql_real_escape_string($param) won't work correctly, when a user entered " . 当用户输入"时,mysql_real_escape_string($ param)将无法正常工作" 。
7 个解决方案
解决方案1
8 2011-04-16 11:19:32
There are a couple of functions that could be used: 有几个功能可以使用:
<?php
$string = 'string test"';
echo htmlentities($string) . "\n";
echo addslashes($string) . "\n";
They produce the following: 他们产生以下内容:
string test"
string test\"
解决方案2
5 2011-04-16 11:19:27
As Damien said; 达米恩说; use addslashes :) 使用addslashes :)
$param=addslashes($param);
echo "<input type='button' onclick=\"myFunc('$param');\" />";
解决方案3
4 2011-04-16 11:20:11
If you are relying on user input, use htmlentities($param, ENT_QUOTES); 如果您依赖于用户输入,请使用htmlentities($param, ENT_QUOTES);
See http://uk.php.net/manual/en/function.htmlentities.php 见http://uk.php.net/manual/en/function.htmlentities.php
解决方案4
2 2011-04-16 11:20:06
从htmlspecialchars($pram,ENT_QUOTES)传递变量htmlspecialchars($pram,ENT_QUOTES)
解决方案5
2 2011-04-16 13:13:00
Whenever thinking about escaping, you always need to ask 每当想到逃跑时,你总是需要问
"In which context do I want to escape?" “我想在哪种情况下逃避?”
Because escaping is essentialy making sure the input is not interpreted in the special meaning of the target, but literaly 因为逃避本质上是确保输入不被解释为目标的特殊含义,而是文学上的
Do not use addslashes, since it's contextless 不要使用addslashes的,因为它是无上下文
If you are inserting the string into HTML, use 如果要将字符串插入HTML,请使用
htmlspecialchars($argument, ENT_QUOTES)
as mentioned. 如上所述。
The onclick content part is technicaly JavaScript, so it might be appropriate to escape the content with json_encode (it's side-effect is JavaScript-specific escaping). onclick内容部分是技术性的JavaScript,因此使用json_encode来转义内容可能是合适的(它的副作用是特定于JavaScript的转义)。 Similarly should you have style attribute, you'd want to escape the content with 同样,如果你有style属性,你想要转义内容
addcslashes($s, "\x00..\x2C./:;<=>?@[\\]^`{|}~")
(source: http://translate.google.com/translate?u=http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en ) (来源: http : //translate.google.com/translate?u = http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en )
Summary 摘要
Use 使用
$param = htmlspecialchars(json_encode($param), ENT_QUOTES)
and then you can safely include it into the HTML string 然后您可以安全地将其包含在HTML字符串中
解决方案6
1 2011-04-16 11:18:52
first do 先做
// only for the GUY who didn't read the complete answer :(
$param=addslashes($param);
then write code in simple HTML 然后用简单的HTML编写代码
<input type='button' onclick="myFunc(<?php echo $param?>);" />
Note: mysql_real_escape_string works when we handle with mysqltry with addslashes 注意:当我们使用addslashes处理mysqltry时, mysql_real_escape_string起作用
解决方案7
0 2014-04-06 23:30:44
This works for me... 这对我有用......
echo '<a href="#" onclick="showTable(''.$table.'')">'.$table.'</a>';
It's not necessary to use backslaches for escaping when using single quote for echo. 当使用echo的单引号时,没有必要使用backslaches进行转义。 Single quote have my vote to work with both php and javascript + html tag. 单引号让我投票使用php和javascript + html标签。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.