str_ireplace 或 preg_replace 将中断标记替换为 \r\n [英] str_ireplace or preg_replace replaced break tag into \r\n
问题描述
我已阅读
如果有任何以前的帖子/PHP方法让我知道
添加我的代码来回显文本框
<-- 这行不通-->$username = $_SESSION['username'];$unsafenomorsoal = $_POST['nomorsoal'];$unsafejawaban = $_POST['jawaban'];$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);$jawabannotcut = substr($unsafejawaban,0,50000);$unsafejawabanfirst = nl2br($jawabannotcut);$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);$breaks = array("<br/>","<br>","<br/>");$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);$_SESSION['textvaluejawaban'] = $jawaban;
这就是回应:
echo "<div class=\"head-main-recent-background\" style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">-Jawab Soal -<br/>".$jawabanerror."<br/>Nama:.$_SESSION['用户名']."<br/><form method=\"post\" action=\"prosesjawabsoal.php\"><input type=\"hidden\" name=\"nomorsoal\" value=\"".$_SESSION['nomorsoal']."\"/>贾瓦班:<br/><textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow- x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea><br/>验证码 <br/><div style=\"overflow:hidden;\" class=\"g-recaptcha\" data-sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/><button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button></表单>
";
注意:该代码段不起作用,因为它是 php
抱歉,由于发布代码时出错,我使用了代码片段!
尝试了 preg_replace() 方法,但结果仍然相同
更改标题以说明 preg_replace 不起作用
你的问题是 mysqli_real_escape_string().将\r\n"转换为字符串以使其安全地输入到数据库中.完全删除它.而是在输出到屏幕时使用 htmlspecialchars
:
echo htmlspecialchars($myUnsafeVar);
应用这些规则(作为起点,总是有可能的例外,但在极少数情况下):
- 在将字符串输入数据库时使用
mysqli_real_escape_string
.输出到屏幕时它不会像您期望的那样做 - 所以任何已经被 mysql 转义()的东西都不应该出现在屏幕上. - 在输出到屏幕时使用
htmlspecialchars
(您没有!). - 使用
url_encode
将内容添加到 URL 中 - 还有许多不同的转义"功能(例如插入 JSON、插入 mysql、插入其他数据库).根据您的需要使用正确的工具 - 请勿将其用于其他目的.
检查功能以获取更多详细信息.
就目前而言,即使采取了所有这些努力,您的代码也不安全 - 但修复起来非常简单!
I have read this post that discuss about converting html break tag into a new line in php. Other people said it's work for them but something weird happened to me.
this is the code I use:
$breaks = array("<br />", "<br>", "<br/>");
$jawaban = str_ireplace($breaks, " ", $jawaban1);`
and this is the code they use :
$breaks = array("<br />", "<br>", "<br/>");
$text = str_ireplace($breaks, "\r\n", $text);
both insert "\r\n
" into the text , why is this happening ?
screenshot:
if there's any previous post / PHP method let me know
EDIT : adding my code that echo the textbox
<-- THIS WONT WORK -->
$username = $_SESSION['username'];
$unsafenomorsoal = $_POST['nomorsoal'];
$unsafejawaban = $_POST['jawaban'];
$nomorsoal = mysqli_real_escape_string($konek,$unsafenomorsoal);
$jawabannotcut = substr($unsafejawaban,0,50000);
$unsafejawabanfirst = nl2br($jawabannotcut);
$jawaban1 = mysqli_real_escape_string($konek,$unsafejawabanfirst);
$breaks = array("<br />","<br>","<br/>");
$jawaban = str_ireplace($breaks, PHP_EOL, $jawaban1);
$_SESSION['textvaluejawaban'] = $jawaban;
and this is what echoed :
echo "<div class=\"head-main-recent-background\" style=\"background:white;width:99%;color:black;text-align:left;height:1000px;position:relative;top:130px;margin-top:10px;\">- Jawab Soal -<br/>".$jawabanerror."<br/>Nama : ".$_SESSION['username']."<br/>
<form method=\"post\" action=\"prosesjawabsoal.php\">
<input type=\"hidden\" name=\"nomorsoal\" value=\"".$_SESSION['nomorsoal']."\"/>
Jawaban : <br/>
<textarea placeholder=\"Max 40.000 Huruf\" style=\"overflow- x:none;width:99%;height:300px;\" type=\"text\" name=\"jawaban\" maxlength=\"40000\" >".$_SESSION['textvaluejawaban']."</textarea>
<br/>Captcha <br/>
<div style=\"overflow:hidden;\" class=\"g-recaptcha\" data- sitekey=\"6LfYQicTAAAAAFstkQsUDVgQ60x_93obnKAMKIM9\"></div><br/>
<button type=\"submit\" name=\"submit\" style=\"margin-top:10px;height:auto;width:auto;\">Kirim Jawaban</button>
</form>
</div>";
Note : The snippet won't work because it's php
Sorry i used snippet due to error while posting the code !
EDIT :
tried preg_replace() method but still same result
EDIT :
change title to tell that preg_replace not work
Your problem is the mysqli_real_escape_string(). The converts the "\r\n" into a string to make it safe to input into the database. Remove it completely. Instead use htmlspecialchars
when you output to screen:
echo htmlspecialchars($myUnsafeVar);
Apply these rules (as a starting point, there's always possible exceptions, but in rare cases):
- use
mysqli_real_escape_string
when inputting strings into a database. It won't do what you expect when outputting to screen - so anything that has been mysql escaped() should not appear on screen. - use
htmlspecialchars
(which you don't have!) when outputting to screen. - use
url_encode
for adding stuff into a URL - There are also many different "escape" function (e.g. inserting into JSON, inserting into mysql, inserting into other databases). Use the right one for what you need - and don't use it for other purposes.
Check the functions for more details.
As it currently stands your code is not safe even with all those efforts - but it's really simple to fix!
这篇关于str_ireplace 或 preg_replace 将中断标记替换为 \r\n的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!