I have a textbox on my website and I need to store whatever the user enters into my database, and retrieve it at a later time. I need to store it exactly as the user entered, including special characters, carriage returns, etc.
我的网站上有一个文本框,我需要存储用户输入的数据库,并在以后检索它。我需要完全按照用户输入的方式存储它,包括特殊字符,回车等。
What process should I use in PHP to store this in my database field (which is a 'text' field)? Should I use PHP's html_encode or anything like that?
我应该在PHP中使用什么进程将其存储在我的数据库字段(这是一个'text'字段)中?我应该使用PHP的html_encode或类似的东西吗?
Thankyou.
Edit: I also need to store correct formatting i.e tabs and multiple spaces.
编辑:我还需要存储正确的格式,即选项卡和多个空格。
5 个解决方案
#1
4
You shouldn't html-encode the data when writing it to the datastorage - that way you could use your data also for something else (e.g. emails, PDF documents and so on). As Assaf already said: it's mandatory to avoid SQL injections by escaping the input or using parameterized insert-queries.
在将数据写入数据存储时,您不应对数据进行html编码 - 这样您也可以将数据用于其他内容(例如电子邮件,PDF文档等)。正如Assaf已经说过的那样:必须通过转义输入或使用参数化插入查询来避免SQL注入。
You should, no, let's say, must however html-encode your data when showing it on an HTML page! That will render dangerous HTML or Javascript code useless as the HTML-tags present in the data will not be recognized as HTML-tags by the browser any more.
不过,不应该说,不应该在HTML页面上显示数据时对数据进行html编码!这会使危险的HTML或Javascript代码变得无用,因为数据中存在的HTML标签将不再被浏览器识别为HTML标签。
The process is a little more complicated when you'll allow the users to post data with HTML-tags inside. You then have to skip the output-encoding in favor of an input-sanitizing which can be arbitrary complex depending on your needs (allowed tags e.g.).
当您允许用户在其中发布带有HTML标签的数据时,此过程会稍微复杂一些。然后,您必须跳过输出编码,转而使用输入消毒功能,根据您的需要(例如允许的标签)可以是任意复杂的。
#2
5
Use mysql_real_escape_string():
$safetext = mysql_real_escape_string($_POST['text']);
$query = "INSERT INTO my_table (`my_field`) VALUES ('$safetext')";
mysql_query($query);
That should work.
这应该工作。
#3
3
You don't have to encode it in order to store it in a mysql.
您不必对其进行编码以将其存储在mysql中。
Be sure you use a parameterized insert command, to avoid SQL injection.
请确保使用参数化插入命令,以避免SQL注入。
#4
3
The following should work:
以下应该有效:
if (get_magic_quotes_gpc()) {
$content = stripslashes($content);
}
$content = mysql_real_escape_string($content);
If your column is utf8, you shouldn't have problems with special characters. Once you've formatted the content correctly, you can feed it to mysql using your standard insert methods.
如果您的列是utf8,则不应该遇到特殊字符问题。正确格式化内容后,可以使用标准插入方法将其提供给mysql。
#5
1
To correctly store the user text in addition to the formatting, all you have to do is convert all the newlines to breaks using nl2br($inputtext). Do this after filtering the input.
要在格式化之外正确存储用户文本,您只需使用nl2br($ inputtext)将所有换行符转换为中断。过滤输入后执行此操作。
#1
4
You shouldn't html-encode the data when writing it to the datastorage - that way you could use your data also for something else (e.g. emails, PDF documents and so on). As Assaf already said: it's mandatory to avoid SQL injections by escaping the input or using parameterized insert-queries.
在将数据写入数据存储时,您不应对数据进行html编码 - 这样您也可以将数据用于其他内容(例如电子邮件,PDF文档等)。正如Assaf已经说过的那样:必须通过转义输入或使用参数化插入查询来避免SQL注入。
You should, no, let's say, must however html-encode your data when showing it on an HTML page! That will render dangerous HTML or Javascript code useless as the HTML-tags present in the data will not be recognized as HTML-tags by the browser any more.
不过,不应该说,不应该在HTML页面上显示数据时对数据进行html编码!这会使危险的HTML或Javascript代码变得无用,因为数据中存在的HTML标签将不再被浏览器识别为HTML标签。
The process is a little more complicated when you'll allow the users to post data with HTML-tags inside. You then have to skip the output-encoding in favor of an input-sanitizing which can be arbitrary complex depending on your needs (allowed tags e.g.).
当您允许用户在其中发布带有HTML标签的数据时,此过程会稍微复杂一些。然后,您必须跳过输出编码,转而使用输入消毒功能,根据您的需要(例如允许的标签)可以是任意复杂的。
#2
5
Use mysql_real_escape_string():
$safetext = mysql_real_escape_string($_POST['text']);
$query = "INSERT INTO my_table (`my_field`) VALUES ('$safetext')";
mysql_query($query);
That should work.
这应该工作。
#3
3
You don't have to encode it in order to store it in a mysql.
您不必对其进行编码以将其存储在mysql中。
Be sure you use a parameterized insert command, to avoid SQL injection.
请确保使用参数化插入命令,以避免SQL注入。
#4
3
The following should work:
以下应该有效:
if (get_magic_quotes_gpc()) {
$content = stripslashes($content);
}
$content = mysql_real_escape_string($content);
If your column is utf8, you shouldn't have problems with special characters. Once you've formatted the content correctly, you can feed it to mysql using your standard insert methods.
如果您的列是utf8,则不应该遇到特殊字符问题。正确格式化内容后,可以使用标准插入方法将其提供给mysql。
#5
1
To correctly store the user text in addition to the formatting, all you have to do is convert all the newlines to breaks using nl2br($inputtext). Do this after filtering the input.
要在格式化之外正确存储用户文本,您只需使用nl2br($ inputtext)将所有换行符转换为中断。过滤输入后执行此操作。