用HTML ascii代码替换 [英] Replace with HTML ascii codes

问题描述

我遇到了一个问题。编写了以下代码片段：

  teksti = teksti.Trim（）
 teksti = Replace（teksti，< ，& lt;）
 teksti =替换（teksti，>，& gt;）
 teksti =替换（teksti，，& quot; quot ;）
 teksti = Replace（teksti，'，&＃8217;）
 teksti = Replace（teksti，％，&＃37;）
 teksti =替换（teksti，&，&）
 teksti =替换（teksti，＃，&＃35;）
 teksti =替换（teksti ，@，&＃64;）
  

写完后我意识到它变成了它的自己的问题。该函数应该为HTML和SQL注入提供安全的信息（还有其他方法，参数化查询等，但这不是重点）。然而，会发生什么呢？它首先用& amp;<>替换& lt; ，然后继续替换新写入的字符串，因为每个替换字符串都有&，＃和;标志。

任何提示？我想过为此使用正则表达式，但是我找不到任何像样的Visual Basic示例。

为提示。我确信会有一个聪明的简单方法来做到这一点，但我想毕竟还没有普遍的方法。首先重新安排问题案例在这里是显而易见的解决方案，谢谢。我猜这个工作日太长了，我没有注意到。 ：D

至于参数化查询，检查我看到我的英语没有达到预期的效果。我的意思是说我已经在使用它们，这里的这个问题是特定的，以防止所有方式的html注入和可能的SQL注入在以后的其他地方使用相同的字符串。再次感谢您的帮助。

解决方案

如果这是.NET，您可以看看 System.Web.HttpServerUtility.HtmlEncode 。

如果您使用的是VBScript / VB6，请将&符号和磅符号移至此列表的顶部，并且不要依赖此函数来保护你免受sql注入。您仍然需要参数化查询。

I ran into a problem. Wrote the following code snippet:

teksti = teksti.Trim()
teksti = Replace(teksti, "<", "& lt;")
teksti = Replace(teksti, ">", "& gt;")
teksti = Replace(teksti, """", "& quot;")
teksti = Replace(teksti, "'", "& #8217;")
teksti = Replace(teksti, "%", "& #37;")
teksti = Replace(teksti, "&", "& amp;")
teksti = Replace(teksti, "#", "& #35;")
teksti = Replace(teksti, "@", "& #64;")

After writing this I realized it becomes its own problem. The function is supposed to make information safe for HTML and SQL injection (there are other methods too, parameterized queries, etc but that's beside the point). However what happens, is that it first replaces < with & lt; and then proceeds to replace the newly written string again as every replace string has &, # and ; signs in it.

Any hints? I thought about using a regex for this, but I couldn't find any decent Visual Basic examples that were simple enough.

Edit: Thanks for the tips. I was sure there would be a "smart" easy way to do this, but I guess there are no common methods available after all. The re-arranging the problem cases first is the obvious solution here, thanks for that. I guess the work day was too long for me to notice. :D

As for parametirized queries, checking back I see my English doesn't come out as intended. I meant to say that I'm already using them, that this problem here is specific to prevent all manner of html-injection and possible sql-injection using the same strings elsewhere later. Thanks again for the help.

解决方案

If this is .NET, you might look at System.Web.HttpServerUtility.HtmlEncode instead.

If you're using VBScript/VB6 just move the ampersand and pound sign up to the top of this list, and don't rely on this function to protect you against sql injection. You still need parameterized queries.

这篇关于用HTML ascii代码替换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！