如何转义html代码插入mysql

时间:2022-05-14 06:29:11

I am using tinymce editor to have html page and then insert it in mysql. I tried this:

我使用tinymce编辑器有html页面,然后将其插入mysql。我试过这个:

 $esdata = mysql_real_escape_string($data);

it is working for all html except images. If I have hyperlink like:

它适用于除图像之外的所有HTML。如果我有超链接像:

http://www.abc.com/pic.jpg

then it makes it somewhat very obscure and the image doesn't appear.

然后它使它有点模糊,图像不会出现。

INPUT <img src="../images/size-chart.jpg" alt="Beer" />

INPUT 如何转义html代码插入mysql

OUPUT <img src="\&quot;&quot;images/size-chart.jpg\\&quot;\&quot;" alt="\&quot;Beer" />

OUPUT 如何转义html代码插入mysql

3 个解决方案

#1


2  

Try to use urlencode and urldecode to escape the string. As Christian said it is not used for the sake of DB but to keep the things as it is. So you can also use urlencode and urldecode.

尝试使用urlencode和urldecode来转义字符串。正如克里斯蒂安所说,它不是为了DB而使用,而是为了保持事物的本来面目。所以你也可以使用urlencode和urldecode。

For Ex:

//to encode
$output = urlencode($input);


//to decode
$input = urldecode($output);

#2


2  

You shouldn't over-escape code before you send it to DB.

在将代码发送到DB之前,不应该过度转义代码。

When you escape it, it's done in a way that it is stored in the DB as it was originally. Escaping is not done for the sake of the DB, but for the sake of keeping the data as it was without allowing users to inject bad stuff in your sql statements (prior to sending the stuff in the DB).

当你逃避它时,它的存储方式使它像原来一样存储在数据库中。转义不是为了DB,而是为了保持数据不被允许用户在sql语句中注入错误的东西(在数据库中发送内容之前)。

#3


0  

You should use htmlspecialchars function to encode the string and htmlspecialchars_decode to display the string back to html

您应该使用htmlspecialchars函数对字符串进行编码,并使用htmlspecialchars_decode将字符串显示回html

#1


2  

Try to use urlencode and urldecode to escape the string. As Christian said it is not used for the sake of DB but to keep the things as it is. So you can also use urlencode and urldecode.

尝试使用urlencode和urldecode来转义字符串。正如克里斯蒂安所说,它不是为了DB而使用,而是为了保持事物的本来面目。所以你也可以使用urlencode和urldecode。

For Ex:

//to encode
$output = urlencode($input);


//to decode
$input = urldecode($output);

#2


2  

You shouldn't over-escape code before you send it to DB.

在将代码发送到DB之前,不应该过度转义代码。

When you escape it, it's done in a way that it is stored in the DB as it was originally. Escaping is not done for the sake of the DB, but for the sake of keeping the data as it was without allowing users to inject bad stuff in your sql statements (prior to sending the stuff in the DB).

当你逃避它时,它的存储方式使它像原来一样存储在数据库中。转义不是为了DB,而是为了保持数据不被允许用户在sql语句中注入错误的东西(在数据库中发送内容之前)。

#3


0  

You should use htmlspecialchars function to encode the string and htmlspecialchars_decode to display the string back to html

您应该使用htmlspecialchars函数对字符串进行编码,并使用htmlspecialchars_decode将字符串显示回html