如何在php中正确转义html表单输入默认值?

Given the following two html/php snippets:

给出以下两个html/php代码片段:

<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />

< input type = " text " name = value =“firstname < ?php echo $ _POST['名字'];? > " / >

and

和

<textarea name="content"><?php echo $_POST['content']; ?></textarea>

< textarea name = "内容" > < ?php echo $ _POST['内容”);? > < / >文本区域

what character encoding do I need to use for the echoed $_POST variables? Can I use any built in PHP functions? Please assume that the $_POST values have not been encoded at all yet. No magic quotes no nothing.

对于回显的$_POST变量，我需要使用什么字符编码?我能使用PHP函数吗?请假设$_POST值还没有被编码。没有魔法就没有什么。

3 个解决方案

#1

Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).

使用:$ _POST['名字'])和htmlspecialchars函数($ _POST['内容'])。

Always escape strings with htmlspecialchars() before showing them to the user.

在显示给用户之前，总是使用htmlspecialchars()来脱机。

#2

However, htmlspecialchars() won't help you with value='single quotes'

但是，htmlspecialchars()不能帮助您处理value='single quotes'

This is what happens:

这是发生了什么:

value='We're not using this in our "code"...'

value='我们没有在我们的代码中使用它…'…'

All you see is We

你所看到的就是我们

#3

htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.

htmlspecialchars在这两种情况下都适用。请查看不同的标志选项，以避免在输入情况中出现引号问题。

#1