用双引号将字符串引起来 [英] Enclosing the string with double quotes
问题描述
我正在尝试处理可能包含单引号和其他特殊字符的文本.如果包含单引号,则不会继续.因此,我试图将单引号引起来的字符串括在双引号引起来的字符串中.
I am trying to handle text which may contains single quotes and other special char. If it is enclised with single quote, it does not proceed. So I am trying to enclose single quoted string into double quoted string.
我已经检查过以前的线程.
I already checked previous threads.
这是代码:
检查结果: http://ideone.com/gWFdUb
<?php
function clean($string) {
eval('$string = "'.$string.'";');
$string = str_replace(' ', ' ', $string); // Replaces all spaces with hyphens.
return preg_replace('/[^A-Za-z0-9 @\-]/', '', $string); // Removes special chars.
}
$d = clean('this was readlly n'ice 'test for@me to') ;
echo $d;
评估线怎么了?
我正在处理用户推文,发布有两个目的.
I am processing user tweets, post for two purpose.
- 要存储到mysql表中. (mysqli_real_escape)没有帮助
- 将每个字符串处理为文本以进行匹配和POS(词性)标记.
由于文本中的此类字符,我被卡住了.因此,尝试在开始处理之前将其删除.
I get stuck due to such characters in text. So trying to remove it before I start processing.
更新:
检查此内容,这里我已经在使用mysqli_real_escape_String
,即使脚本到达此位置也会停止
Check this, here I am already using mysqli_real_escape_String
even the script stops when it reach this
...
mention-179
May Thanks @ShaleMarkets @01Finser @52York @AB_CutRock @AFSPG @AJSmith222 @AlbertaEnergy @andymartin @annemullettamg @APGQ_officiel-440929408564477952-Tue Mar 04 19:18:57 +0000 2014-19:03:572014:03:04201403Adnan Aftab Nizamani0131
mention-180
Thank you for @ShaleMarkets, to promoting, thank you very much for an award. Glad to have been able to help you :)-440897048963850240-Tue Mar 04 17:10:22 +0000 2014-17:03:222014:03:04201403♘-₭ℜi℘-0582
mention-181
@ShaleMarkets https://t.co/aM8liykQqR-440890009273393152-Tue Mar 04 16:42:24 +0000 2014-16:03:242014:03:04201403Bre Burey018
提法181出了什么毛病,以至于卡住了?这是代码
What's wrong in mention-181 so that it got stuck? Here is the code
foreach ($tweets1 as $item)
{
$count = $count + 1;
$text = $item->text;
//echo $userid.$text;
$text_id = $item->id;
$constant = 'mention';
$time = $item->created_at;
//echo $time;
//$dt = new DateTime('@' . strtotime($time));
$dt = \DateTime::createFromFormat('D M d H:i:s e Y', $time);
//var_dump($dt);
$tweet_time = $dt->format('H:m:s');
$tweet_dtm = $dt->format('Y:m:d');
$year = $dt->format('Y');
$month = $dt->format('m');
$user_name = $item->user->name;
// echo $year.$month.$user_name;
$inreplyto = $item->in_reply_to_screen_name;
$rt_count = $item->retweet_count;
$follower_count = $item->user->followers_count;
echo $constant."-".$count."<br>".$text."-".$text_id."-".$time."-".$tweet_time.$tweet_dtm.$year.$month.$user_name.$rt_count.$follower_count."<br>";
echo "<br>";
$con = mysqli_connect('127.0.0.1', 'root', 'root', 'root');
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
return;
}
$text = mysqli_real_escape_string($con,$text);
$insertQuery1 = "INSERT INTO twitter_mention(`username`,`userid`,`tweet_text`,`text_id`,`time`,`month`,`year`,`date`,`user_follower_count`,`rt_count`,`constant`,`in_reply_to`) VALUES ('".$twitteruser."','".$userid."','".$text."','".$text_id."','".$tweet_time."','".$month."','".$year."','".$tweet_dtm."','".$follower_count."','".$rt_count."','".$constant."','".$inreplyto."')";
if (!mysqli_query($con,$insertQuery1))
{
// die('Error: ' . mysqli_error($con));
// echo "error";
}
推荐答案
始终使用上下文转义
没有任何用途的上下文,您一般无法清理"数据.不要尝试构建单个函数来处理所有可能的情况.只是不要.没有用.在您的函数中,您试图通过删除某些字符来"清理"字符串. 您不能通过删除一组字符来清理字符串.这个想法是有缺陷的,因为您总是必须允许使用某些语法或其他特殊字符.
Always use contextual escaping
You can't generically "clean" data without any context of what it's for. Do not try to build a single function to handle all the possible cases. Just don't. It's pointless. In your function, you're trying to "clean" the string by removing certain characters. You can't clean a string by removing a set of characters. That idea is flawed because you're always going to have to allow the use of some characters that are special in some syntax or the other.
相反,根据要使用的上下文来对待字符串.例如:
Instead, treat the string according to the context where it's going to be used. For example:
-
如果要在SQL查询中使用此字符串,则必须使用准备好的语句(或
mysqli_real_escape_string()
)以正确转义数据.
If you are going to use this string in an SQL query, you have to use prepared statements (or
mysqli_real_escape_string()
) to properly escape the data.
如果要在HTML标记中输出此值,则需要使用 htmlspecialchars()
转义数据.
If you're going to output this value in HTML markup, you need to use htmlspecialchars()
to escape the data.
如果要将其用作命令行参数,则需要使用 escapeshellcmd()
或 escapeshellarg()
.
If you're going to use it as command-line argument, you need to use escapeshellcmd()
or escapeshellarg()
.
进一步阅读:
- Security.SE — What's the best way to sanitize user input in PHP?
- What's the best method for sanitizing user input with PHP?
- Does eliminating dangerous characters avoid SQL-injection?
这篇关于用双引号将字符串引起来的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!