[英]strip_tags not working
I am truing to filter html characters out like this 我想要像这样过滤掉html字符
$user = $_POST["user"]; //Get username from <form>
mysql_real_escape_string($user); //Against SQL injection
strip_tags($user); //Filter html characters out
But for some reason this is not filtering html characters out. 但由于某种原因,这不是过滤html字符。 I don't know why, could it by mysql_real_escape_string
? 我不知道为什么,可以通过mysql_real_escape_string
吗?
...But, do you mean: ......但是,你的意思是:
$user = $_POST["user"]; // Get username from <form>
$user = mysql_real_escape_string($user); // Against SQL injection
$user = strip_tags($user); // Filter html characters out
? ?
As said in the other answers (referring to strip_tags()
, but it's the same for mysql_real_escape_string()
), these functions do not alter strings directly, but return the modified copy . 正如在其他答案中所述(指的是strip_tags()
,但它与mysql_real_escape_string()
的情况相同),这些函数不会直接更改字符串,而是返回修改后的副本 。 So you have to assign return values to the same (or another) variable! 因此,您必须将返回值分配给相同(或另一个)变量!
strip_tags($user); //Filter html characters out
should be replaced with this: 应该替换为:
$user = strip_tags($user); //Filter html characters out
strip_tags
returns the stripped value strip_tags
返回剥离的值
See doc: http://nl2.php.net/strip_tags 请参阅doc: http : //nl2.php.net/strip_tags
This is the same with mysql_real_escape_string()
这与mysql_real_escape_string()
相同
$user = mysql_real_escape_string($user); //Against SQL injection
You are using strip_tags
improperly: 您正在使用strip_tags
:
string strip_tags ( string $str [, string $allowable_tags ] ) string strip_tags(string $ str [,string $ allowable_tags])
Modifying the code to assign it to a return value should fix it 修改代码以将其分配给返回值应该修复它
$user = strip_tags($user); //Filter html characters out
EDIT 编辑
Just for completeness sakes, thanks for lorenzo-s for pointing it out, you also need to do the same to the mysql_real_escape_string
只是为了完整性,感谢lorenzo-s指出它,你还需要对mysql_real_escape_string
做同样的事情。
$user = mysql_real_escape_string($user); // Against SQL injection
As already said 如前所述
$user = strip_tags($user);
should be used, but I'd also put 应该使用,但我也会
mysql_real_escape_string($user);
AFTER the call to strip_tags(); 在调用strip_tags()之后;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.