如何防止从表单输入中添加\? [英] How can I prevent \ from being added from the form input?
问题描述
html表单接受textarea输入,当我显示它时,我使用$ _POST值将输入值放到textarea中.例如.
The html form accepts textarea input, and I am using $_POST value to put the input value to textarea when I am displaying it. For example.
<html>
<?php if($_POST['input'){
<form method="post" action="<?=$PHP_SELF?>">
<textarea name="input" cols="60" rows="20"><?=$_POST['input']?></textarea>
<input type="submit" value="Test it">
</form>
<?php
} else {
?>
Please copy in a text of your choice
<br /><br />
<form method="post" action="<?=$PHP_SELF?>">
<textarea name="input" cols="60" rows="20"></textarea>
<input type="submit" value="Test it">
</form>
</html>
一切正常,除了反斜杠"\"被添加到每个单引号和双引号之外.如何设置一些设置以防止添加反斜杠?
Everything works fine except that backslash '\' is added to every single quote, and double quotes. How can I set some setting to prevent backslash from being added?
推荐答案
禁用魔术引号-请参见 http://php.net/manual/zh-cn/security.magicquotes.php -如果您使用共享托管,并且托管人是愚蠢的,并且不想/让您更改它(请参阅该页面)(为什么会如此愚蠢),请对每个从 $ _ GET,$ _ POST,$ _ COOKIE 数组中获取的值使用 stripslashes().
Disable magic quotes - see http://php.net/manual/en/security.magicquotes.php - if you're on shared hosting and your hoster is stupid and doesn't want to / let you change it (see that page for why it is stupid), use stripslashes() on every value you get out ouf the $_GET, $_POST, $_COOKIE arrays.
另一方面,不要在不通过 htmlspecialchars()发送输入值的情况下,将输入值(包括 PHP_SELF )回传到HTML输出中,否则您将具有安全性问题.有关更多信息,请参见 http://en.wikipedia.org/wiki/Cross-site_scripting
On a side note, don't echo input values back (that includes PHP_SELF) into the HTML output without sending them through htmlspecialchars(), or you have security issues. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
这篇关于如何防止从表单输入中添加\?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
