用双引号将字符串引起来 [英] Enclosing the string with double quotes

问题描述

我正在尝试处理可能包含单引号和其他特殊字符的文本.如果包含单引号，则不会继续.因此，我试图将单引号引起来的字符串括在双引号引起来的字符串中.

I am trying to handle text which may contains single quotes and other special char. If it is enclised with single quote, it does not proceed. So I am trying to enclose single quoted string into double quoted string.

我已经检查过以前的线程.

I already checked previous threads.

这是代码:

检查结果: http://ideone.com/gWFdUb

<?php
function clean($string) {
    eval('$string = "'.$string.'";');
   $string = str_replace(' ', ' ', $string); // Replaces all spaces with hyphens.
   return preg_replace('/[^A-Za-z0-9 @\-]/', '', $string); // Removes special chars.
}

$d =  clean('this was readlly n'ice 'test for@me to') ;
echo $d;

评估线怎么了?

我正在处理用户推文，发布有两个目的.

I am processing user tweets, post for two purpose.

1. 要存储到mysql表中. (mysqli_real_escape)没有帮助
2. 将每个字符串处理为文本以进行匹配和POS(词性)标记.

由于文本中的此类字符，我被卡住了.因此，尝试在开始处理之前将其删除.

I get stuck due to such characters in text. So trying to remove it before I start processing.

更新:

检查此内容，这里我已经在使用mysqli_real_escape_String，即使脚本到达此位置也会停止

Check this, here I am already using mysqli_real_escape_String even the script stops when it reach this

...
mention-179
May Thanks @ShaleMarkets @01Finser @52York @AB_CutRock @AFSPG @AJSmith222 @AlbertaEnergy @andymartin @annemullettamg @APGQ_officiel-440929408564477952-Tue Mar 04 19:18:57 +0000 2014-19:03:572014:03:04201403Adnan Aftab Nizamani0131

mention-180
Thank you for @ShaleMarkets, to promoting, thank you very much for an award. Glad to have been able to help you :)-440897048963850240-Tue Mar 04 17:10:22 +0000 2014-17:03:222014:03:04201403♘-₭ℜi℘-0582

mention-181
@ShaleMarkets https://t.co/aM8liykQqR-440890009273393152-Tue Mar 04 16:42:24 +0000 2014-16:03:242014:03:04201403Bre Burey018

提法181出了什么毛病，以至于卡住了?这是代码

What's wrong in mention-181 so that it got stuck? Here is the code

    foreach ($tweets1 as $item)
    {       
        $count = $count + 1;
        $text = $item->text;
        //echo $userid.$text;
        $text_id = $item->id;
        $constant = 'mention';
        $time = $item->created_at;
        //echo $time;
        //$dt = new DateTime('@' . strtotime($time));
        $dt = \DateTime::createFromFormat('D M d H:i:s e Y', $time);
        //var_dump($dt);
        $tweet_time = $dt->format('H:m:s');
        $tweet_dtm = $dt->format('Y:m:d');
        $year =  $dt->format('Y'); 
        $month =  $dt->format('m'); 
        $user_name = $item->user->name;
//      echo $year.$month.$user_name;
        $inreplyto =  $item->in_reply_to_screen_name;
        $rt_count = $item->retweet_count;
        $follower_count = $item->user->followers_count;
        echo $constant."-".$count."<br>".$text."-".$text_id."-".$time."-".$tweet_time.$tweet_dtm.$year.$month.$user_name.$rt_count.$follower_count."<br>";
        echo "<br>";
        $con = mysqli_connect('127.0.0.1', 'root', 'root', 'root');         
        if (mysqli_connect_errno())
        {
            echo "Failed to connect to MySQL: " . mysqli_connect_error();
            return;
        }
        $text = mysqli_real_escape_string($con,$text);
        $insertQuery1 = "INSERT INTO twitter_mention(`username`,`userid`,`tweet_text`,`text_id`,`time`,`month`,`year`,`date`,`user_follower_count`,`rt_count`,`constant`,`in_reply_to`) VALUES ('".$twitteruser."','".$userid."','".$text."','".$text_id."','".$tweet_time."','".$month."','".$year."','".$tweet_dtm."','".$follower_count."','".$rt_count."','".$constant."','".$inreplyto."')";

        if (!mysqli_query($con,$insertQuery1))
        {
        //  die('Error: ' . mysqli_error($con));
        //  echo "error";
        }

推荐答案

始终使用上下文转义

没有任何用途的上下文，您一般无法清理"数据.不要尝试构建单个函数来处理所有可能的情况.只是不要.没有用.在您的函数中，您试图通过删除某些字符来"清理"字符串. 您不能通过删除一组字符来清理字符串.这个想法是有缺陷的，因为您总是必须允许使用某些语法或其他特殊字符.

Always use contextual escaping

You can't generically "clean" data without any context of what it's for. Do not try to build a single function to handle all the possible cases. Just don't. It's pointless. In your function, you're trying to "clean" the string by removing certain characters. You can't clean a string by removing a set of characters. That idea is flawed because you're always going to have to allow the use of some characters that are special in some syntax or the other.

相反，根据要使用的上下文来对待字符串.例如:

Instead, treat the string according to the context where it's going to be used. For example:

• 如果要在SQL查询中使用此字符串，则必须使用准备好的语句(或 mysqli_real_escape_string() )以正确转义数据.

• If you are going to use this string in an SQL query, you have to use prepared statements (or mysqli_real_escape_string()) to properly escape the data.

如果要在HTML标记中输出此值，则需要使用 htmlspecialchars() 转义数据.

If you're going to output this value in HTML markup, you need to use htmlspecialchars() to escape the data.

如果要将其用作命令行参数，则需要使用 escapeshellcmd() 或 escapeshellarg() .

If you're going to use it as command-line argument, you need to use escapeshellcmd() or escapeshellarg().

进一步阅读:

• Security.SE-清理用户的最佳方法是什么用PHP输入?
• 使用以下命令清理用户输入的最佳方法是什么PHP?
• 消除危险字符是否可以避免SQL注入?

• Security.SE — What's the best way to sanitize user input in PHP?
• What's the best method for sanitizing user input with PHP?
• Does eliminating dangerous characters avoid SQL-injection?

这篇关于用双引号将字符串引起来的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！