在echo语句中混合html和php变量 [英] Mixing html and php variables inside an echo statement
问题描述
这可能是我在一个语句中使用单引号和双引号时遇到的问题。但是我有这段代码:
echo'< form>
< input type =submitvalue =$ numberonClick =function();>
'
这个问题在于submit按钮说短语 $ number 而不是该变量的值。
所以我环顾四周,发现这个解决方案:
echo < form>
< / form>
< / form>
< input>'submit'value ='$ number'onClick ='function c> 这会正确输出$ number的值,但我习惯在echo语句周围使用单引号,并且希望保留它。为什么只是将所有单引号转换为双引号,并且将单引号加倍修复问题?是否对代码的第一位进行了修改,以便我可以将单引号保留为回显,并在属性上使用双引号? p>
在PHP中,双引号字符串会自动解析其中包含的任何变量,但单引号字符串不会。 >
$ myVar = 21;
echomyVar:$ myVar
输出文本: myVar:21
WHE reas:
$ myVar = 21;
echo'myVar:$ myVar'
输出文本: myVar:$ myVar
代码的一个问题是,在HTML中,元素属性的值必须用双引号引起来,不是单引号。我知道有些浏览器会接受这种形式(甚至根本没有引号),但这不是正确的方法。
有多种方法可以实现您的愿望,方法一:转义双引号字符串:
$ myVar = 21;
echo< div id = \$ myVar \>< / div>;
虽然这可能是一个相当不雅的解决方案,但它仍然有效。
方法二:使用带单引号字符串的字符串连接:
$ myVar = 21 ;
echo'< div id ='。$ myVar。'>< / div>';
这提供了一个更好的IMO解决方案,因为如果你使用函数调用或其他任何PHP代码希望。
警告: 的 $ myVar (即用户输入它的内容),将其直接放入HTML代码是一种跨站点脚本(XSS)形式的安全漏洞。假设用户输入如下内容:
lol>< script> alert('XSS!');< / script>< / div>< div id =lol2
代码包含以下内容:
< div id =lol>< script> alert('XSS!' );< / script>< / div>< div id =lol2>< / div>
这只是一个良好的例子,但攻击者可以轻松使用相同的技术来窃取用户的Cookie (假装以该用户身份登录)。这里的信息是,当你不能100%确定变量的内容时,不要直接将它插入到HTML代码中。相反,请调用 htmlspecialchars($ myVar)。这将转化为以下内容:
$ myVar = $ _POST ['whatever'];
echo'< div id ='。htmlspecialchars($ myVar)。'>< / div>';
This may be a problem of my trouble with using single and double quotes in one statement. But I have this piece of code:
echo '<form>
<input type="submit" value="$number" onClick="function();">
</form>'
The problem with this is that the submit button says the phrase $number instead of the value of that variable.
So I looked around and found this solution:
echo "<form>
<input type='submit' value='$number' onClick='function();'>
</form>
This outputs the value of $number correctly, but I am used to using single quotes around my echo statements and would like to keep it that way. Why does just switching all single quotes into doubles, and doubles into singles fix the problem? And is there a modification to the first bit of code that would allow me to keep the single quotes on echo, and double quotes on the attributes?
In PHP, double quoted strings are automatically parsed for any variables contained within, but single quoted strings are not. Therefore:
$myVar = 21;
echo "myVar: $myVar"
This outputs the text: myVar: 21
Whereas:
$myVar = 21;
echo 'myVar: $myVar'
This outputs the text: myVar: $myVar
One problem with your code is that in HTML, the values of elements' attributes must be enclosed in double quotes, not single quotes. I know that some browsers will accept this form (or even no quotes at all), but this is not the correct method.
There are various ways of achieving what you wish, correctly.
Method one: Escaping double-quoted strings:
$myVar = 21;
echo "<div id=\"$myVar\"></div>";
While this may be a rather inelegant solution, it will work.
Method two: Using string concatenation with single (or double) quoted strings:
$myVar = 21;
echo '<div id="' . $myVar . '"></div>';
This offers a better solution IMO because you can use function calls or any other PHP code in there if you wish.
WARNING:
Please note that when you aren't certain of the contents of $myVar (i.e. the user enters it in), putting it directly into HTML code is a security vulnerability in the form of cross-site scripting (XSS). Imagine the user enters something like this:
lol"><script>alert('XSS!');</script></div><div id="lol2
This will cause the resulting HTML code to contain the following:
<div id="lol"><script>alert('XSS!');</script></div><div id="lol2"></div>
This is just a benign example, but an attacker could easily use the same technique to steal a user's cookies (to pretend to be logged in as that user). The message here is that when you aren't 100% sure of the contents of a variable, don't insert it into HTML code directly. Instead, call htmlspecialchars($myVar). This would translate to the following:
$myVar = $_POST['whatever'];
echo '<div id="' . htmlspecialchars($myVar) . '"></div>';
这篇关于在echo语句中混合html和php变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
