如何避免引用Delphi生成的PHP字符串？ [英] How to escape quote PHP strings generated by Delphi?

问题描述

我的代码散布着这样的东西

My code is littered with things like this

    Write  (thePhpFile, '    echo "<option value=\"' +
                                    theControl.Name +
                                    '_selection\">" . $' +
                                     theControl.Name +
                                     '_values[$_POST["' +
                                      theControl.Name +
                                      '_selection"]];');

其中包含以下PHP代码

which genrates the following PHP code

 echo "<option value=\"ComboBox1_selection\">" . 
                      $ComboBox1_values[$_POST["ComboBox1_selection"]];?>

当然有更好的方法来处理这个问题？也许是一个Delphi函数，我可以传递所需的PHP字符串，并在必要时加倍报价？还是我自欺欺人？

Surely there's a better way to handle this? Maybe a Delphi function which I can pass the desired PHP string and have it double up quotes where necessary? Or am I deluding myself?

基本算法似乎是

// assume all PHP strings are double quoted, even when it's inefficient
find the first double quote, if any
find the last double quote, if any  
for every double quote in between
   change it to \""

这听起来不错吗？也许我应该自己编写代码？

Does that sound right? Maybe I should code it myself?

嗯，不是那么容易...在上面的代码片段中，我们不想逃避 $ _ POST [ComboBox1_selection] - 更好的是手工编码顶部的混乱？

Hmmm, not so easy ... in the snippet above, we wouldn't want to escape $_POST["ComboBox1_selection"] - better just to hand code the mess shown at the top?

任何想法？我现在要谷歌从delphi生成php - 这可能是我应该在几周前完成的： - /

Any ideas? I'm off now to google "generating php from delphi" - which is probably what I should have done weeks ago :-/

推荐答案

p>你不只是生成PHP。您正在生成PHP，从而生成HTML。您的程序将需要注意两种语言的字符串编码规则。编写两个单独的函数可能会更容易：

You're not just generating PHP. You're generating PHP that in turn generates HTML. Your program will need to be aware of both languages' string-encoding rules. It will probably be easier to write two separate functions for that:

function QuoteStringForPHP(s: string): string;
function QuoteHTMLAttributeValue(s: string): string;

根据你的例子，你可以这样使用：

Given your example, you'd use them like this:

ControlName := theControl.Name;
ValueName := ControlName + '_values';
SelectionName := ControlName + '_selection';
Write(thePhpFile, '    echo ' +
  QuoteStringForPHP(
    '<option value=' +
      QuoteHTMLAttributeValue(SelectionName) +
    '>'
  ) +
  '.' +
  '$' + ValueName + '[$_POST[' +
    QuoteStringForPHP(SelectionName) +
  ']];'
);

写下他们很简单：

// Input: Any sequence of characters
// Output: A single-quoted PHP string literal
function QuoteStringForPHP(s: string): string;
begin
  // Commented apostrophes are only to fix Stack Overflow's code highlighting
  s := StringReplace(s, '\' {'}, '\\', [rfReplaceAll]);
  s := StringReplace(s, '''', '\''' {'}, [rfReplaceAll]);
  Result := '''' + s + '''';
end;

// Input: Any sequence of valid HTML text characters
// Precondition: s has not already had any HTML encoding applied to
//               it; i.e., no character references
// Output: A single-quoted HTML attribute value
function QuoteHTMLAttributeValue(s: string): string;
begin
  s := StringReplace(s, '&', '&', [rfReplaceAll]);
  s := StringReplace(s, '''', ''', [rfReplaceAll]);
  Result := '''' + s + '''';
end;

我选择使用撇号而不是引号，因为这样可以使PHP转义更容易。如果您的PHP字符串使用引号，那么您需要担心变量插值。使用撇号，这个问题消失了。

I chose to use apostrophes rather than quotation marks since that makes PHP escaping easier. If you use quotation marks for your PHP strings, then you need to worry about variable interpolation. With apostrophes, that problem goes away.

通过使 QuoteStringForPHP 负责引用和逃脱，你逃避容易。没有更多的猜测，哪些角色需要转义，因为他们所有做。只有在转义工作完成后才添加不需要转义的文件。

By making QuoteStringForPHP responsible for quoting and escaping, you make escaping easy. There's no more guesswork about which characters need escaping because they all do. The ones that don't need escaping are only added after the escaping work is complete.

这篇关于如何避免引用Delphi生成的PHP字符串？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！