php strip_tags 和 htmlentities
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5788314/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
strip_tags and htmlentities
提问by Somebody
Should I use htmlentitieswith strip_tags?
我应该使用htmlentities带strip_tags?
I am currently using strip_tagswhen adding to database and thinking about removing htmlentitieson output; I want to avoid unnecessary processing while generating HTML on the server.
我目前正在strip_tags添加到数据库并考虑删除htmlentities输出时使用;我想在服务器上生成 HTML 时避免不必要的处理。
Is it safe to use only strip_tagswithout allowed tags?
仅在strip_tags没有允许的标签的情况下使用是否安全?
回答by NikiC
First: Use the escaping method only as soon as you need it. I.e. if you insert something into a database, only escape it for the database, i.e. apply mysql_real_escape_string(or PDO->quoteor whatever database layer you are using). But don't yet apply any escaping for the output. No strip_tagsor similar yet. This is because you may want to use the data stored in the database someplace else, where HTML escaping isn't necessary, but only makes the text ugly.
第一:仅在需要时才使用转义方法。即,如果您将某些内容插入到数据库中,则仅将其转义到数据库中,即应用mysql_real_escape_string(或PDO->quote您正在使用的任何数据库层)。但是还没有对输出应用任何转义。没有strip_tags或类似。这是因为您可能希望在其他地方使用存储在数据库中的数据,在那里不需要 HTML 转义,而只会使文本变得丑陋。
Second: You should not use strip_tags. It removes the tags altogether. I.e. the user doesn't get the same output as he typed in. Instead use htmlspecialchars. It will give the user the same output, but will make it harmless.
第二:你不应该使用strip_tags. 它完全删除了标签。即用户没有得到与他输入相同的输出。而是使用htmlspecialchars. 它将为用户提供相同的输出,但会使其无害。
回答by nickf
strip_tagswill remove all HTML tags:
strip_tags将删除所有 HTML 标签:
"<b>foo</b><i>bar</i>" --> "foobar"
htmlentitieswill encode characters which are special characters in HTML
htmlentities将对 HTML 中的特殊字符进行编码
"a & b" --> "a & b"
"<b>foo</b>" --> "<b>foo</b>"
If you use htmlentities, then when you output the string to the browser, the user should see the text as they entered it, not as HTML
如果您使用htmlentities,那么当您将字符串输出到浏览器时,用户应该看到他们输入的文本,而不是 HTML
echo htmlentities("<b>foo</b>");
Visually results in: <b>foo</b>
视觉结果:<b>foo</b>
echo strip_tags("<b>foo</b>");
Results in: foo
结果:foo
回答by matty
I wouldn't use htmlentitiesas this will allow you to insert the string, as is, into the database. Yhis is no good for account details or forums.
我不会使用,htmlentities因为这将允许您按原样将字符串插入到数据库中。Yhi 不适合帐户详细信息或论坛。
Use mysql_real_escape_stringfor inserting data into the database, and strip_tagsfor receiving data from the database and echoing out to the screen.
使用mysql_real_escape_string用于插入数据到数据库中,并strip_tags用于从所述数据库接收数据和呼应出到屏幕上。
回答by hafidh
try this one and see the differences:
试试这个,看看区别:
<?php
$d= isset($argv[1]) ? $argv[1] : "empty argv[1]".PHP_EOL;
echo strip_tags(htmlentities($d)) . PHP_EOL;
echo htmlentities(strip_tags($d)) . PHP_EOL;
?>
open up cmd or your terminal and type something like following;
打开 cmd 或您的终端并输入如下内容;
php your_script.php "<br>foo</br>"
this should get what you want and safe !
这应该得到你想要的和安全的!
