htmlspecialchars & ENT_QUOTES 不起作用?

发布于 2024-10-12 13:08:59 字数 640 浏览 11 评论 0原文

基本上,在显示来自 MySQL 数据库的数据时,我下面有一个 htmlspecialchars() 函数,该函数应该将单引号和双引号转换为其安全实体。我遇到的问题是查看源代码,它只是转换 < > & 当我还需要它来转换单引号和双引号时。

//sanitize data from db before displaying on webpage
function htmlsan($htmlsanitize){
    return $htmlsanitize = htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}

然后,当我想使用时,我会这样做:

htmlsan($row['comment']);

有人能告诉我为什么它不转换单引号和双引号吗?

更新

奇怪的是 htmlsan() 用于电子邮件中的评论,当我查看电子邮件的源代码时,它会转换它们,似乎它不会转换单个/在网页上显示时数据库中的双引号。我的数据库排序规则也设置为 utf8_general_ci 并且我声明我在数据库连接等上使用 utf8。

Basically on displaying data from MySQL database I have a htmlspecialchars() function below that should convert single and double quotes to their safe entity(s). The problem I'm having is on viewing source code, it is only converting < > & when I also need it to convert single and double quotes.

//sanitize data from db before displaying on webpage
function htmlsan($htmlsanitize){
    return $htmlsanitize = htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}

Then when I want to use for example I do:

htmlsan($row['comment']);

Can someone tell me why it's not converting single and double quotes?

UPDATE

What's strange is htmlsan() is used on comment in email and when I view source code of email it converts them, it seems that it won't convert the single/double quotes from the database on displaying on webpage. My database collation is also set to utf8_general_ci and I declare I am using utf8 on database connection etc.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

毁虫ゝ 2024-10-19 13:08:59

你具体是如何测试它的?

<?php

//sanitize data from db before displaying on webpage
function htmlsan($htmlsanitize){
    return $htmlsanitize = htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}

var_dump(htmlsan('<>\'"'));

... 打印:

string(20) "<>'""

我的猜测是您的输入字符串来自 Microsoft Word 并包含印刷引号:

var_dump(htmlsan('“foo”')); // string(9) "“foo”" 

如果您确实需要出于某种原因转换它们,则需要 htmlentities() 而不是 htmlspecialchars():

var_dump(htmlentities('“foo”', ENT_QUOTES, 'UTF-8')); // string(17) "“foo”"

更新#1

好吧,是时候进行一些适当的测试了。在 comment 数据库字段中输入单引号 ('),并在检索时运行以下代码:

var_dump(bin2hex("'"));
var_dump(htmlspecialchars("'", ENT_QUOTES, 'UTF-8'));
var_dump(bin2hex($row['comment']));
var_dump(htmlspecialchars($row['comment'], ENT_QUOTES, 'UTF-8'));

它应该打印以下内容:

string(2) "27"
string(6) "'"
string(2) "27"
string(6) "'"

请更新您的问题并确认您是否运行这个测试得到了相同或不同的输出。

更新 #2

请仔细查看您声称获得的输出:

string(6) "'"

这不是一个包含 6 个字符的字符串。您查看的不是真实输出:您查看的是浏览器渲染的输出。我很确定您得到了预期的结果,即 string(6) "'"。如果您使用网络浏览器渲染 ',它将变为 '。使用浏览器中的“查看源代码”菜单来查看真实的输出。

How are you exactly testing it?

<?php

//sanitize data from db before displaying on webpage
function htmlsan($htmlsanitize){
    return $htmlsanitize = htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}

var_dump(htmlsan('<>\'"'));

... prints:

string(20) "<>'""

My guess is that your input string comes from Microsoft Word and contains typographical quotes:

var_dump(htmlsan('“foo”')); // string(9) "“foo”" 

If you do need to convert them for whatever the reason, you need htmlentities() rather than htmlspecialchars():

var_dump(htmlentities('“foo”', ENT_QUOTES, 'UTF-8')); // string(17) "“foo”"

Update #1

Alright, it's time for some proper testing. Type a single quote (') in your comment database field and run the following code when you retrieve it:

var_dump(bin2hex("'"));
var_dump(htmlspecialchars("'", ENT_QUOTES, 'UTF-8'));
var_dump(bin2hex($row['comment']));
var_dump(htmlspecialchars($row['comment'], ENT_QUOTES, 'UTF-8'));

It should print this:

string(2) "27"
string(6) "'"
string(2) "27"
string(6) "'"

Please update your question and confirm whether you ran this test and got the same or a different output.

Update #2

Please look carefully at the output you claim to be obtaining:

string(6) "'"

That's not a string with 6 characters. You are not looking at the real output: you are looking at the output as rendered by a browser. I'm pretty sure you are getting the expected result, i.e. string(6) "'". If you render ' with a web browser it becomes '. Use the View Source menu in your browser to see the real output.

无语# 2024-10-19 13:08:59

当您使用 Firebug 查看源代码时,Firebug 会像 Web 浏览器显示它一样显示它,我认为它会显示源代码,就像您在浏览器菜单栏中查看源代码一样。头痛是习得的,并且会被记住。感谢大家的宝贵时间和投入。

When you view sourcecode using Firebug, Firebug shows it like the web browser displays it, I thought it would have shown the source code the same as if you went to View Source in Browser Menu Bar. A headache learnt and will be remembered. Thanks everyone for your valuable time and input.

穿越时光隧道 2024-10-19 13:08:59

不确定这是否会产生任何影响,但您是否尝试删除 $htmlsanitize.

function htmlsan($htmlsanitize){
    return htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}

Not sure if this will make any difference but have you tried removing the $htmlsanitize.

function htmlsan($htmlsanitize){
    return htmlspecialchars($htmlsanitize, ENT_QUOTES, 'UTF-8');
}
俯瞰星空 2024-10-19 13:08:59

有同样的问题。我的数据库使用 utf-8_unicode_ci ,我的 html 字符集使用 utf-8,并且 htmlentities 只转换除引号之外的所有内容。我认为在 db 和 html 中使用相同的字符集可以正常工作,但事实并非如此。所以我将 html 上的字符集更改为 iso-8859-1 并且它起作用了。我不知道为什么,但它有效。我的数据库仍然使用utf-8_unicode_ci。

Had the same problem. My database is with utf-8_unicode_ci and my html charset utf-8, and htmlentities only converted everything but quotes. I thought that having same charset in both db and html would work fine, but it didn't. So I changed the charset on the html to iso-8859-1 and it worked. I don't know why, but it worked. My db is still with utf-8_unicode_ci.

归属感 2024-10-19 13:08:59

使用

htmlentities($htmlsin, ENT_QUOTES, 'UTF-8');

or

mb_convert_encoding($htmlsan, "HTML-ENTITIES", "UTF-8");

可能会做你想要的事情。

Using

htmlentities($htmlsin, ENT_QUOTES, 'UTF-8');

or

mb_convert_encoding($htmlsan, "HTML-ENTITIES", "UTF-8");

Would probably do what you want them to.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文