-1

我在 PHP 中有一个注释系统,当用户在 textarea 中键入换行符时,它显示为 rn(注意:我正在清理这个输入并使用 htmlentities(),并且我有自定义标记)。

这是我当前的代码(包括尝试换行符):

$comment_content =stripslashes(str_replace('\r\n', '@//', mysql_real_escape_string($_POST['comment_content'])));
$comment_content = htmlentities($comment_content);
$comment_content = mysql_real_escape_string(str_replace("====", "<span class=".$bold.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("===", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~~", "<span class=".$italic.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("++++", "<span class=".$big.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("+++", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("___", "<span class=".$underline.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("__", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("@//", "<br>", $comment_content));
$comment_content = comment_sanitize($comment_content);

这就是我消毒的方式:

function sanitize($sql, $formUse = true) {
    $sql = preg_replace("/(from|script|src|select|insert|delete|where|drop table|show tables|`|,|'|\*|\\\\)/i","",$sql);
    $sql = trim($sql);
    if(!$formUse || !get_magic_quotes_gpc()) {
        $sql = addslashes($sql);
    }
    return $sql;
}

有任何想法吗?

4

1 回答 1

1

你不要htmlentities在路上使用,你在输出上使用它。您应该转义以输入数据库,然后在输出中显示换行符,请考虑:

nl2br(htmlentities($comment));
于 2013-01-30T17:51:38.907 回答