Qindex Programming Tips
56 [Quick Reference] string escapes in real use
written by Qindex at 2006-10-28 01:59 /

http://qindex.info/Q_drctry/test/escapes.php

 

 

<!DOCTYPE html
     PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN'
    'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
    <head>
        <title></title>
        <meta http-equiv='Content-Type'  content='text/html; CHARSET=UTF-8' />
        <style type='text/css'>
            body,input { font-family:courier new; }
            input { width:250px; }
            img { cursor:pointer; }
        </style>
        <script type='text/javascript'>
            function a_function(strng) {
                window.alert(strng);
            }
        </script>
    </head>
    <body>


<?php
$a_value = ";/?:@&=+$, <>#%\"{}|\\^[]`'";
echo $a_value."<br />";
?>

 

<!-- string from DB - HTML -->
<p><?php echo htmlspecialchars($a_value,ENT_NOQUOTES); ?></p>

 

<!-- string from DB - HTML attribute -->
<input name='a_name' value='<?php echo htmlspecialchars($a_value,ENT_QUOTES); ?>' /><br />
<input name='a_name' value="<?php echo htmlspecialchars($a_value); ?>" /><br />

 

<!-- string from DB - JavaScript string -->
<script type='text/javascript'>
a_function('<?php echo str_replace(">","\u003E", str_replace("<","\u003C", str_replace("'" ,"
\\'" ,str_replace("\\","\\\\" ,$a_value)))); ?>');
a_function("<?php echo str_replace(">","\u003E", str_replace("<","\u003C", str_replace("\"","
\\\"",str_replace("\\","\\\\" ,$a_value)))); ?>");
</script>

 

<!-- string from DB - JavaScript string - HTML attribute -->
<img src='http://qindex.info/Q_img/Qindx_logo.gif' onclick="a_function('<?php
    echo htmlspecialchars(str_replace("'" ,"
\\'" ,str_replace("\\","\\\\" ,$a_value)),ENT_QUOTES);
    ?>');" /><br />
<img src='http://qindex.info/Q_img/Qindx_logo.gif' onclick='a_function("<?php
    echo htmlspecialchars(str_replace("\"","
\\\"",str_replace("\\","\\\\" ,$a_value)),ENT_QUOTES);
    ?>");' /><br />

 

<!-- string from DB - JavaScript string - HTML attribute - PHP string -->
<?php
$html = "<img src='http://www.kallery.net/Q_img/kallery_net.gif' onclick=\"a_function('"
      . htmlspecialchars(str_replace("'" ,"
\\'" ,str_replace("\\","\\\\" ,$a_value)),ENT_QUOTES)
      . "');\" /><br />\n";
echo $html;
$html = "<img src='http://www.kallery.net/Q_img/kallery_net.gif' onclick='a_function(\""
      . htmlspecialchars(str_replace("\"","
\\\"",str_replace("\\","\\\\" ,$a_value)),ENT_QUOTES)
      . "\");' /><br />\n";
echo $html;
?>

 

<!-- posted string - query string -->
<?php
include_once $_SERVER['DOCUMENT_ROOT']."...";
$d_id_lnk = @mysql_connect($server, $user, $psswrd);
$qry = "INSERT INTO a_table SET a_column='".mysql_real_escape_string($a_value)."'";
echo $qry;
?>


    </body>
</html> 

 

 

 

 

htmlspecialchars

http://kr2.php.net/manual/en/function.htmlspecialchars.php

'&' (ampersand) becomes '&amp;'
'"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set.
''' (single quote) becomes '&#039;' only when ENT_QUOTES is set.
'<' (less than) becomes '&lt;'
'>' (greater than) becomes '&gt;'

 

str_replace

http://kr2.php.net/manual/en/function.str-replace.php

 

mysql_real_escape_string

http://kr2.php.net/manual/en/function.mysql-real-escape-string.php

prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.



 [post]
[permission] read:Anonymous, comment:Anonymous, write:Webmaster, upload:Webmaster, manage:Webmaster
Qindex.info