PHP MySQL 如何正确存储/转义字符串 [英] PHP MySQL how to properly store / escape string
问题描述
我遇到了包含 <br/> 或 & 的字符串问题,<等等.
在将它们存储到 DB 之前,我是这样转义的
nl2br(htmlentities($string, ENT_QUOTES, 'UTF-8'));但是有时当我显示存储的结果时,我会得到这样的东西
&lt;br/&gt;&lt;br/&gt;<br/><br/><br/><br/>有人可以帮助/告诉我转义字符串但保留断点等的最佳方法,当我想在屏幕上显示它时.
谢谢
确保将double_encode设置为false,否则已经编码的字符串将再次编码,转为& 变成 &.然后当你使用html_entity_decode后去显示时,它会看起来好像它仍然是编码的.
使用 htmlentities($string, ENT_QUOTES, 'UTF-8', false); 将确保不会发生这种情况.
然后使用 html_entity_decode($string, ENT_QUOTES, 'UTF-8'); 显示值.
但是,MySQL 完全能够将解码后的值存储在数据库中.
您永远不想将 htmlentities 编码的字符串存储在您的数据库中.当您想要生成 CSV 或 PDF、发送电子邮件或任何非 HTML 的内容时会发生什么?
除了您必须执行双倍的数据编码编程,增加数据库中的数据量,然后仍然需要对输出进行解码之外,网上有大量文章回答您为什么不应该这样做.
因此,您应该只需要对用于在 html 中显示结果数据输出的值进行编码.
相反,您应该使用 mysqli_real_escape_string
$string = '<a href="/path/to/file?a=b&foo=bar#baz">我的链接</a>';$sql = "插入链接(链接)"."VALUES(" .mysqli_real_escape_string($string) ."')";或者更好地使用准备好的语句
$stmt = $mysqli->prepare("INSERT INTO links (link) VALUES(?)");$stmt->bind_param("s", $string);$stmt->execute();然后将输出格式化为成功消息以显示实际添加到数据库中的内容.
$html = " 添加链接:" .htmlentities($string, ENT_QUOTES, 'UTF-8', false) ."</div>";现在不需要使用 html_entity_decode 在浏览器中呈现 html.
I am having an issue with string sting that contains <br/> or & , < and so on.
I am escaping it like this before I store them into DB
nl2br(htmlentities($string, ENT_QUOTES, 'UTF-8'));
However some times when I display stored results I get stuff like this
&lt;br /&gt;&lt;br /&gt;<br /><br /><br /><br />
can someone help / show me the best way to escape strings but preserve the break points and so on when I want to display it back on the screen.
thanks you
解决方案 Ensure you set the double_encode to false, otherwise already encoded strings will be encoded again, turning & into &amp;. Then when you go to display it after using html_entity_decode, it will appear as if it was still encoded.
Undesirable Result: http://ideone.com/uQxuAM
Using htmlentities($string, ENT_QUOTES, 'UTF-8', false); will ensure this will not happen.
Then use html_entity_decode($string, ENT_QUOTES, 'UTF-8'); to display the value.
Demo: http://ideone.com/8Jo7YA
However, MySQL is fully capable of storing the decoded values in the database.
You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, send an email, or anything which isn't HTML?
Aside from the fact you have to perform double the programming of encoding the data, increasing the amount of data in the database, then still need to decode the output, there are tons of articles online answering why you shouldn't.
So you should only ever need to encode the values for displaying the resulting data output in html.
Instead you should escape the input using mysqli_real_escape_string
$string = '<a href="/path/to/file?a=b&foo=bar#baz">My Link</a>';
$sql = "INSERT INTO links (link)"
. "VALUES(" . mysqli_real_escape_string($string) . "')";
or better yet use prepared statements
$stmt = $mysqli->prepare("INSERT INTO links (link) VALUES(?)");
$stmt->bind_param("s", $string);
$stmt->execute();
Then to format the output as a success message to display what was actually added to the database.
$html = "<div>Added Link: " . htmlentities($string, ENT_QUOTES, 'UTF-8', false) . "</div>";
Now there is no need to use html_entity_decode to have the html rendered in the browser.
这篇关于PHP MySQL 如何正确存储/转义字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
