str_ireplace 或 preg_replace 将中断标记替换为 \r\n [英] str_ireplace or preg_replace replaced break tag into \r\n

问题描述

我已阅读

如果有任何以前的帖子/PHP方法让我知道

添加我的代码来回显文本框

<-- 这行不通-->$username = $_SESSION['username'];$unsafenomorsoal = $_POST['nomorsoal'];$unsafejawaban = $_POST['jawaban'];$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);$jawabannotcut = substr($unsafejawaban,0,50000);$unsafejawabanfirst = nl2br($jawabannotcut);$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);$breaks = array("<br/>","<br>","<br/>");$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);$_SESSION['textvaluejawaban'] = $jawaban;

这就是回应:

 echo "<div class=\"head-main-recent-background\" style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">-Jawab Soal -<br/>".$jawabanerror."<br/>Nama:.$_SESSION['用户名']."<br/><form method=\"post\" action=\"prosesjawabsoal.php\"><input type=\"hidden\" name=\"nomorsoal\" value=\"".$_SESSION['nomorsoal']."\"/>贾瓦班:<br/><textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow- x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea><br/>验证码 <br/><div style=\"overflow:hidden;\" class=\"g-recaptcha\" data-sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/><button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button></表单>

";

注意:该代码段不起作用，因为它是 php
抱歉，由于发布代码时出错，我使用了代码片段！

尝试了 preg_replace() 方法，但结果仍然相同

更改标题以说明 preg_replace 不起作用

解决方案

你的问题是 mysqli_real_escape_string().将\r\n"转换为字符串以使其安全地输入到数据库中.完全删除它.而是在输出到屏幕时使用 htmlspecialchars:

echo htmlspecialchars($myUnsafeVar);

应用这些规则(作为起点，总是有可能的例外，但在极少数情况下):

• 在将字符串输入数据库时​​使用mysqli_real_escape_string.输出到屏幕时它不会像您期望的那样做 - 所以任何已经被 mysql 转义()的东西都不应该出现在屏幕上.
• 在输出到屏幕时使用 htmlspecialchars(您没有！).
• 使用 url_encode 将内容添加到 URL 中
• 还有许多不同的转义"功能(例如插入 JSON、插入 mysql、插入其他数据库).根据您的需要使用正确的工具 - 请勿将其用于其他目的.

检查功能以获取更多详细信息.

就目前而言，即使采取了所有这些努力，您的代码也不安全 - 但修复起来非常简单！

I have read this post that discuss about converting html break tag into a new line in php. Other people said it's work for them but something weird happened to me.

this is the code I use:

$breaks = array("<br />", "<br>", "<br/>");  
$jawaban = str_ireplace($breaks, "&#13;&#10;", $jawaban1);`     

and this is the code they use :

$breaks = array("<br />", "<br>", "<br/>");
$text = str_ireplace($breaks, "\r\n", $text);

both insert "\r\n" into the text , why is this happening ?
screenshot:

if there's any previous post / PHP method let me know

EDIT : adding my code that echo the textbox

<-- THIS WONT WORK -->
$username = $_SESSION['username'];
$unsafenomorsoal = $_POST['nomorsoal'];
$unsafejawaban = $_POST['jawaban'];
$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);
$jawabannotcut = substr($unsafejawaban,0,50000);
$unsafejawabanfirst = nl2br($jawabannotcut);
$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);
$breaks = array("<br />","<br>","<br/>");
$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);
$_SESSION['textvaluejawaban'] = $jawaban;

and this is what echoed :

        echo "<div class=\"head-main-recent-background\"       style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">- Jawab   Soal -<br/>".$jawabanerror."<br/>Nama : ".$_SESSION['username']."<br/>
      <form method=\"post\" action=\"prosesjawabsoal.php\">
     <input type=\"hidden\" name=\"nomorsoal\"   value=\"".$_SESSION['nomorsoal']."\"/>
      Jawaban : <br/>
      <textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow-  x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea>
       <br/>Captcha <br/>
            <div style=\"overflow:hidden;\" class=\"g-recaptcha\" data-   sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/>
            <button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button>
           </form>
            </div>";

Note : The snippet won't work because it's php
Sorry i used snippet due to error while posting the code !

EDIT :
tried preg_replace() method but still same result

EDIT :
change title to tell that preg_replace not work

解决方案

Your problem is the mysqli_real_escape_string(). The converts the "\r\n" into a string to make it safe to input into the database. Remove it completely. Instead use htmlspecialchars when you output to screen:

echo htmlspecialchars($myUnsafeVar);

Apply these rules (as a starting point, there's always possible exceptions, but in rare cases):

• use mysqli_real_escape_string when inputting strings into a database. It won't do what you expect when outputting to screen - so anything that has been mysql escaped() should not appear on screen.
• use htmlspecialchars (which you don't have!) when outputting to screen.
• use url_encode for adding stuff into a URL
• There are also many different "escape" function (e.g. inserting into JSON, inserting into mysql, inserting into other databases). Use the right one for what you need - and don't use it for other purposes.

Check the functions for more details.

As it currently stands your code is not safe even with all those efforts - but it's really simple to fix!

这篇关于str_ireplace 或 preg_replace 将中断标记替换为 \r\n的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！