javascript 使用 PHP 在变量中转义引号
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5686086/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Escape quotes in a variable with PHP
提问by Alexander
I use this code to genefate html
我使用此代码来生成 html
echo "<input type='button' onclick=\"myFunc('$param');\" />";
Everything would be OK unless $param contains 'or "character. How should it be implemented to handle these situations?
除非 $param 包含'或"字符,否则一切都会好起来的。应该如何实施来处理这些情况?
ps. mysql_real_escape_string($param) won't work correctly, when a user entered ".
附:mysql_real_escape_string($param) 将无法正常工作,当用户输入".
回答by Nick
There are a couple of functions that could be used:
有几个函数可以使用:
<?php
$string = 'string test"';
echo htmlentities($string) . "\n";
echo addslashes($string) . "\n";
They produce the following:
他们生产以下产品:
string test"
string test\"
回答by jbasko
If you are relying on user input, use htmlentities($param, ENT_QUOTES);
如果您依赖于用户输入,请使用 htmlentities($param, ENT_QUOTES);
回答by mister koz
As Damien said; use addslashes :)
正如达米安所说;使用加斜线 :)
$param=addslashes($param);
echo "<input type='button' onclick=\"myFunc('$param');\" />";
回答by NoxArt
Whenever thinking about escaping, you always need to ask
"In which context do I want to escape?"
Because escaping is essentialy making sure the input is not interpreted in the special meaning of the target, but literaly
每当想到逃跑时,你总是需要问
“我想在什么情况下逃跑?”
因为转义本质上是确保输入不被解释为目标的特殊含义,而是字面意思
Do notuse addslashes, since it's contextless
千万不能使用和addslashes,因为它的无上下文
If you are inserting the string into HTML, use
如果要将字符串插入 HTML,请使用
htmlspecialchars($argument, ENT_QUOTES)
as mentioned.
如前所述。
The onclickcontent part is technicaly JavaScript, so it might be appropriate to escape the contentwith json_encode (it's side-effect is JavaScript-specific escaping). Similarly should you have style attribute, you'd want to escape the contentwith
该的onclick内容部分是technicaly JavaScript,因此它可能是适当的逃生内容与json_encode(它的副作用是JavaScript的具体逃逸)。同样,你应该有样式属性,你想逃避的内容与
addcslashes($s, "\x00..\x2C./:;<=>?@[\]^`{|}~")
(来源:http: //translate.google.com/translate?u=http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en)
Summary
Use
总结
使用
$param = htmlspecialchars(json_encode($param), ENT_QUOTES)
and then you can safely include it into the HTML string
然后你可以安全地将它包含到 HTML 字符串中
回答by Shakti Singh
Pass variable from htmlspecialchars($pram,ENT_QUOTES)
传递变量来自 htmlspecialchars($pram,ENT_QUOTES)
回答by diEcho
first do
先做
// only for the GUY who didn't read the complete answer :(
$param=addslashes($param);
then write code in simple HTML
然后用简单的 HTML 编写代码
<input type='button' onclick="myFunc(<?php echo $param?>);" />
Note:mysql_real_escape_stringworks when we handle with mysqltry with addslashes
注意:mysql_real_escape_string当我们处理 mysqltry 时有效addslashes
回答by cPage
This works for me...
这对我有用...
echo '<a href="#" onclick="showTable(''.$table.'')">'.$table.'</a>';
It's not necessary to use backslaches for escaping when using single quote for echo. Single quote have my vote to work with both php and javascript + html tag.
对 echo 使用单引号时,没有必要使用 backslaches 进行转义。单引号让我投票支持 php 和 javascript + html 标签。
