php GET 带空格的变量 - 它们可以工作,但它是正确的还是可以的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5616089/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
GET variables with spaces - they work, but is it correct or ok?
提问by Dave
I have a PHP page where I'm passing the city name via a "city" URL/GET variable. Currently, it's passing the actual city name even if it has spaces (eg .php?city=New York). I then take the $city GET variable and run a MySQL query against cities.name.
我有一个 PHP 页面,我在其中通过“城市”URL/GET 变量传递城市名称。目前,即使它有空格(例如.php?city=New York),它也会传递实际的城市名称。然后我使用 $city GET 变量并针对城市名称运行 MySQL 查询。
This works just fine - but I've always been under the impression any variables, URL/GET or otherwise should never have spaces. I'm more than capable of either replacing the spaces w/ underscores, or removing them, and putting them back in for the query...etc - but I thought I'd ask first in case spaces are completely fine, and it was just my superstition telling me otherwise.
这工作得很好 - 但我一直认为任何变量、URL/GET 或其他方式都不应该有空格。我完全有能力替换带下划线的空格,或者删除它们,然后将它们放回查询中......等等 - 但我想我会先问,以防空格完全没问题,它是只是我的迷信告诉我不然。
回答by alex
Spaces are fine, and are generally encoded with +.
空格很好,通常用+.
To be extra safe, use urlencode()on your values if manually adding them to your GET params.
为了更加安全,urlencode()如果手动将它们添加到您的 GET 参数,请使用您的值。
echo urlencode('New York'); // New+York
键盘。
Otherwise, if your form if submitting as GET params, just leave them as they are :)
否则,如果您的表单作为 GET 参数提交,请保持原样:)
I then take the $city GET variable and run a MySQL query against cities.name.
然后我使用 $city GET 变量并针对城市名称运行 MySQL 查询。
Make sure you are using the suitable database escaping mechanism to be safe from SQL injection.
确保您使用合适的数据库转义机制以防止 SQL 注入。
回答by Dave B
This works fine without using encodeURI() or encodeURIComponent() for parameters with blank spaces from Javascript to Php or Python.
这在不使用 encodeURI() 或 encodeURIComponent() 用于从 Javascript 到 Php 或 Python 的空格参数的情况下工作正常。
echo shell_exec("python test.py \"".$_POST['ytitle']."\" \"".$_POST['yurl']."\"");
Thanks for the note from https://stackoverflow.com/users/8712097/tom-arandaHere's the safer code.
感谢来自https://stackoverflow.com/users/8712097/tom-aranda的注释 这是更安全的代码。
system(escapeshellcmd("python GreaseMonkey_Php_Youtube_srt_generator.py ".$_POST['yurl']));
回答by ariefbayu
Space in URL is fine. One thing you need to take note is whenever working with variable taken from outside your control (URL variable, Cookies, etc, etc). Always remember to clean it up to prevent sql injection, XSS, and other malicious attack.
URL 中的空格很好。您需要注意的一件事是,无论何时使用从您的控制之外获取的变量(URL 变量、Cookie 等)。时刻记得清理干净,防止sql注入、XSS等恶意攻击。
