发表新帖
发表新帖

Escape quotes in a variable with PHP

后端 未结
关注
7 516
温柔的废话
温柔的废话 2021-01-12 03:16

I use this code to genefate html

echo \"\";

Everything would be OK unles

相关标签:
7条回答
  • 心在旅途
    2021-01-12 03:26

    If you are relying on user input, use htmlentities($param, ENT_QUOTES);

    See http://uk.php.net/manual/en/function.htmlentities.php

    0 讨论(0)
  • 鱼传尺愫
    2021-01-12 03:31

    There are a couple of functions that could be used:

    <?php
$string = 'string test"';

echo htmlentities($string) . "\n";
echo addslashes($string) . "\n";

    They produce the following:

    string test&quot;
string test\"
    0 讨论(0)
  • 情歌与酒
    2021-01-12 03:33

    This works for me...

    echo '<a href="#" onclick="showTable(&#039;'.$table.'&#039;)">'.$table.'</a>';

    It's not necessary to use backslaches for escaping when using single quote for echo. Single quote have my vote to work with both php and javascript + html tag.

    0 讨论(0)
  • 时光取名叫无心
    2021-01-12 03:36

    Whenever thinking about escaping, you always need to ask
    "In which context do I want to escape?"
    Because escaping is essentialy making sure the input is not interpreted in the special meaning of the target, but literaly

    Do not use addslashes, since it's contextless

    If you are inserting the string into HTML, use

    htmlspecialchars($argument, ENT_QUOTES)

    as mentioned.

    The onclick content part is technicaly JavaScript, so it might be appropriate to escape the content with json_encode (it's side-effect is JavaScript-specific escaping). Similarly should you have style attribute, you'd want to escape the content with

    addcslashes($s, "\x00..\x2C./:;<=>?@[\\]^`{|}~")

    (source: http://translate.google.com/translate?u=http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en)

    Summary
    Use

    $param = htmlspecialchars(json_encode($param), ENT_QUOTES)

    and then you can safely include it into the HTML string

    0 讨论(0)
  • 逝去的感伤
    2021-01-12 03:39

    As Damien said; use addslashes :)

    $param=addslashes($param);
echo "<input type='button' onclick=\"myFunc('$param');\" />";
    0 讨论(0)
  • 一整个雨季
    2021-01-12 03:44

    first do

    // only for the GUY who didn't read the complete answer :(
$param=addslashes($param);

    then write code in simple HTML 

    <input type='button' onclick="myFunc(<?php echo $param?>);" />

    Note: mysql_real_escape_string works when we handle with mysqltry with addslashes

    0 讨论(0)
 看不清?
提交回复
热议问题