CakePHP - Escape（htmlspecialchars）不适用于FormHelper [英] CakePHP - Escape (htmlspecialchars) not working for FormHelper

问题描述

我的印象是，FormHelper不仅自动保护我从SQL注入，而且每个默认转义特殊字符，如HtmlHelper。然而，当我有：

I was under the impression that the FormHelper not only automatically protects me from SQL injection, but also per default escapes special characters like the HtmlHelper does. However, when I have:

<?php echo $this->Form->input('field', array('escape' => true)); ?>

然后输入&和'例如进入字段和打保存。这些特殊字符保存到数据库而不进行任何转义。这也发生，没有设置选项转义为true。所以我的问题如下。

And then enter & and ' for example into the field and hit save. These special characters get saved to the database without any escaping. This also happens without setting the option escape to true. So my question follows.

CakePHP是真的吗，你不应该也不能逃避一个表单字段，然后保存使用的选项为FormHelper？或者我做错了什么？

Is it true the CakePHP is designed so that you are not supposed nor able to escape a form field before saving using the options for the FormHelper? Or am I doing something wrong?

推荐答案

你错了，你应该 >这不是通过使用h（）函数，htmlspecialchars（）的快捷方式通过核心帮助器。核心助手，如Html :: link（）将自动进行转义。

You do it wrong, you should escape all kind of output that is not going through a core helper by using the h() function, a shortcut for htmlspecialchars(). The core helpers, like Html::link() will do that escaping automatically.

另请参见如何在PHP中转义输出

这篇关于CakePHP - Escape（htmlspecialchars）不适用于FormHelper的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！