I have this:
<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />
I want to strip quotes from user input so that if someone enters something like: "This is my title" it wont mess up my code.
I tried this and it's not working: $inputData['title'] = str_replace('"', '', $_POST['title']);
If I understand the question correctly, you want to remove "
from $inputData['title']
so your HTML code is not messed up ?
If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.
Considering you are generating HTML, you should use the htmlspecialchars
function ; this way, double-quotes (and a couple of other characters) will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.
For instance :
echo '<input name="title" type="text" class="inputMedium" value="'
. htmlspecialchars($inputData['title'])
. '" />';
Note : depending on your situation (especially, about the encoding/charset you might be using) , you might to pass some additionnal parameters to htmlspecialchars
.
Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.
For instance :
htmlspecialchars
mysql_real_escape_string
, or an equivalent, depending on the type of database you're working with 用户输入应该通过htmlspecialchars()
来运行,以便在这种情况下使用。
我强烈建议你在显示用户生成的任何地方之前使用htmlentities($ string,ENT_QUOTES) ...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.