php 如何通过php在mysql中插入特殊字符并显示在html页面上
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2122866/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to insert special character in mysql via php and display on html page
提问by diEcho
how to insert special characters into a database(MySQL) like
如何将特殊字符插入数据库(MySQL),如
Registered symbol ( ? )OR
Copyright sign ( ? )OR
Trade Mark sign ( ? )
Registered symbol ( ? )或
Copyright sign ( ? )或
Trade Mark sign ( ? )
Also I want to display as original on the html page.
我也想在 html 页面上显示为原始内容。
What I have to do in both side (front end and back end), please elaborate
两边(前端和后端)要做什么,请详细说明
Which function is more effective?
哪个功能更有效?
Method 1:
方法一:
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
if(get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_GET = array_map('strip_tags', $_GET);
$_POST = array_map('strip_tags', $_POST);
}
else{
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
}
Method 2:
方法二:
foreach ($_POST as $key=>$value){
if (!get_magic_quotes_gpc()) {
return addslashes(htmlentities(strip_tags($value),ENT_QUOTES,'UTF-8'));
}
else {
return htmlentities(strip_tags($value),ENT_QUOTES,'UTF-8');
}
}
I am a bit confused what is the difference between
我有点困惑有什么区别
htmlentities()and htlspecialchars(), and which one i have to use?
htmlentities()和htlspecialchars(),我必须使用哪一个?
which function should be used addslashes()or stripslashes()when insert into database?
应该使用哪个函数addslashes()或stripslashes()何时插入数据库?
回答by Crozin
Just simply add those symbols to your text, and execute it as SQL query:
只需将这些符号添加到您的文本中,然后将其作为 SQL 查询执行:
INSERT INTO tbl_name VALUES ("Here's my text: ??");
When you want to display it one the website don't do anything with these symbols (but remember to escape at least <, >, &(using htmlspecialchars()) cause those has special meaning in XML/SGML (HTML) documents)
当您想显示它时,网站不会对这些符号做任何事情(但请记住至少要转义<, >, &(使用htmlspecialchars())因为它们在 XML/SGML (HTML) 文档中具有特殊含义)
PS. Also remember to escape text passed to SQL query using mysql_real_escape_string()to avoid any SQL Injection problems. If your server has magic_quotes_gpcenabled disable it or at least filter your GET/POST/COOKIE data to its raw value. You should always consciously escape values.
附注。还要记住使用mysql_real_escape_string()转义传递给 SQL 查询的文本以避免任何 SQL 注入问题。如果您的服务器已magic_quotes_gpc启用禁用它或至少将您的 GET/POST/COOKIE 数据过滤为其原始值。你应该总是有意识地逃避价值观。
EDIT:
编辑:
According to your comment... I don't remember whether magic_quotes_gpcare enabled by default but you can easily undone magic quotes effect. Just on the very beginning of your PHP code add something like this:
根据您的评论...我不记得是否magic_quotes_gpc默认启用,但您可以轻松撤消魔术引号效果。就在 PHP 代码的最开始添加如下内容:
if (get_magic_quotes_gpc()) {
array_walk_recursive($_GET, 'stripslashes');
array_walk_recursive($_POST, 'stripslashes');
array_walk_recursive($_COOKIE, 'stripslashes');
}
Now each GPC value should be always raw - without quotes - so you have to escape it manually before passing any variable into query.
现在每个 GPC 值都应该是原始的——没有引号——所以你必须在将任何变量传递给查询之前手动转义它。
回答by Mark Bell
From the PHP docs for htmlentities():
来自 PHP 文档htmlentities():
This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.
该函数在所有方面都与 htmlspecialchars() 相同,除了 htmlentities(),所有具有 HTML 字符实体等效项的字符都被转换为这些实体。
Don't worry about encoding things when you store them: store the data raw, and then encode it with htmlentities()when you display it in your HTML.
存储时不要担心编码:存储原始数据,然后htmlentities()在 HTML 中显示时使用它进行编码。
Edit: Also, read this.
编辑:另外,阅读这个。
回答by John Parker
For starters, you should just use mysql_real_escape_string when inserting into the database- this will ensure that whatever you store is safely encoded, yet retains all of the original information.
首先,您应该在插入数据库时使用 mysql_real_escape_string- 这将确保您存储的任何内容都经过安全编码,同时保留所有原始信息。
In terms of output, the key difference between htmlentities and htmlspecialchars is that htmlentities will convert all characters that have entitieswhereas htmlspecialchars will only convert <, >, &, ", '
在输出方面,htmlentities 和 htmlspecialchars 之间的主要区别在于 htmlentities将转换所有具有实体的字符,而htmlspecialchars 将仅转换 <、>、&、"、'
回答by Vaibhav Tomar
Just use prepared statements.
只需使用准备好的语句。
$con = <"Your database connection">;
$input = "What's up? ?, ?, ?";
$stmt = $con->prepare("insert into `tablename` (`field`)values(?)");
$stmt->bind_param("s",$input);
$stmt->execute();
