I have this:
<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />
I want to strip quotes from user input so that if someone enters something like: "开发者_运维百科This is my title" it wont mess up my code.
I tried this and it's not working:
$inputData['title'] = str_replace('"', '', $_POST['title']);
If I understand the question correctly, you want to remove " from $inputData['title'], so your HTML code is not messed up?
If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.
Considering you are generating HTML, **you should use the [`htmlspecialchars`][1] function**; this way, double-quotes *(and a couple of other characters)* will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.
For instance:
echo '<input name="title" type="text" class="inputMedium" value="'
. htmlspecialchars($inputData['title'])
. '" />';
Note: depending on your situation (especially, about the encoding/charset you might be using), you might to pass some additional parameters to htmlspecialchars.
Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.
For instance:
- If you are generating some XML or HTML, you should use
htmlspecialchars - If you are generating some SQL, you should use
mysql_real_escape_string, or an equivalent, depending on the type of database you're working with
User input should be run through htmlspecialchars() to be used in this sort of case.
I highly recommend you to use htmlentities($string, ENT_QUOTES) before displaying anything user generated anywhere...
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论