I have a profile page in which I want to display informations from the database for most users, and a form with the current data as default value for the users with modification rights.
我有一个配置文件页面,其中我想从数据库中向大多数用户显示信息,以及一个以当前数据作为修改权限的用户的默认值的表单。
if ($IDprofile == $_SESSION['userID'])
{
echo "<form method='post'>
Surname: <input type='text' required name='surname' maxlength=50
value=".htmlentities($user['Surname'])."><br>
Name: <input type='text' required name='name' maxlength=50
value=".htmlentities($user['Name'])."><br>
Birthdate (format YYYY-MM-DD): <input type='text' required name='BirthDate' value='";
if ($user['BirthDate'] != null)
echo $user['BirthDate'];
else
echo "-";
echo "'><br>
Description: <input type='text' maxlength=255 name='description' value='";
if ($user['Description'] != null)
echo htmlentities($user['Description']);
else
echo "-";
echo "'><br>
<input type='submit' value='OK'></form>";
}
As you can see, I tried with htmlentities, which should transform the apostrophe into ', but it doesn't work. Other methods like addslashes and addcslashes don't work either.
如您所见,我尝试使用htmlentities,它应该将撇号转换为#39;,但它不起作用。其他的方法,如addslash和addcslash也不起作用。
What is displayed is my form input with the value it should have, until the place where there should be an apostrophe, where it just ends. addslashes does the same, with a / before the end.
显示的是我的表单输入和它应该具有的值,直到出现撇号的地方,它才结束。addslashes在结尾之前也会这样做。
What puzzles me the most is that I have a surname with an apostrophe in it in my database, and this one is displayed just fine.
最让我困惑的是,我的数据库中有一个带有撇号的姓,这个显示得很好。
2 个解决方案
#1
3
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
默认情况下,htmlentities只对“双引号”进行编码,因为它们是HTML属性的更常见的终止符。如果您希望它也编码“单引号”,您需要设置ENT_QUOTES标志:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
(ENT_HTML401是另一个默认标志;现在你可能想要使用ENT_HTML5。
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
您还应该使用引号来分隔属性!目前,您的结果看起来像value=James,这并不是不正确的,但是一旦您的值包含空格或引号或其他特殊字符,就会给您带来麻烦。
#2
1
Please try outputting your variables like this:
请试着将你的变量输出如下:
htmlspecialchars($user['Surname'], ENT_QUOTES);
:$ user(“姓”),ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
还要确保在系统中禁用魔法引号,这样在发布新数据时就不会自动获得额外的斜杠。
#1
3
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
默认情况下,htmlentities只对“双引号”进行编码,因为它们是HTML属性的更常见的终止符。如果您希望它也编码“单引号”,您需要设置ENT_QUOTES标志:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
(ENT_HTML401是另一个默认标志;现在你可能想要使用ENT_HTML5。
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
您还应该使用引号来分隔属性!目前,您的结果看起来像value=James,这并不是不正确的,但是一旦您的值包含空格或引号或其他特殊字符,就会给您带来麻烦。
#2
1
Please try outputting your variables like this:
请试着将你的变量输出如下:
htmlspecialchars($user['Surname'], ENT_QUOTES);
:$ user(“姓”),ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
还要确保在系统中禁用魔法引号,这样在发布新数据时就不会自动获得额外的斜杠。