我有一些页面存储在数据库中。出于安全目的,所有页面在保存到数据库之前都被转义,但是当我打印页面时,HTML标签仍然被转义。像这样
<a href=\"mypage.se\" alt=\"\">Link</a>
显然,这不是很好,所以我如何取消转义页面?我试过 html_entity_decode 没有任何成功。
问问题
8304 次
4 回答
10
While data should be escaped before inserting it into the database, it shouldn't still be escaped when you take it out. The root cause of your problem is that it is being escaped twice between collection and examining it after it comes out of the database.
You should track down why it is being escaped twice and fix that.
That may leave the existing data broken though (it depends on if the data is being escaped twice on the way in or if it is being escaped on the way out of the database with magic_quotes_runtime). If so, you will need to clean it up. That form of escaping has nothing to do with HTML and can be reversed with stripslashes.
The clean up will look something like:
- SELECT * from database_table
- Create a prepared UPDATE statement to update a row
- foreach row
stripslasheson the data that was double escaped, pass the data to the prepared statement
于 2012-04-30T09:32:45.120 回答
4
使用stripslashes():http ://uk3.php.net/manual/en/function.stripslashes.php
于 2012-04-30T09:31:25.880 回答
0
用于stripslashes($str)检索内容并删除在将内容插入数据库期间添加的斜线。
谢谢
于 2012-04-30T10:41:24.260 回答
-3
mysql 数据库输入字符串应始终使用 mysql_real_escape_string() 进行转义,当它们出现时,应使用 stripslashes() 对其进行转义。对于像 id 这样的数字,应该使用 int() 将它们转换为整数,然后进行范围检查:例如,像 id 这样的 AUTO_INCREMENT 列默认以 1 开头。因此,对于从 $_GET[] 或 $_POST 获得的任何内容进行验证检查[],检查您的 int() 编号是否 >= 1。通过 int() 过滤所有整数。通过 doubleval() 过滤所有实数,除非您正在处理货币值并且您有自己的十进制数类 - 浮点可以破坏金钱。
于 2012-04-30T09:49:20.887 回答