问题
Possible Duplicate:
How to properly escape html form input default values in php?
If I use a preset HTML input, eg:
$lmao=$_POST['lmao'];
echo <<<EOD
<input value="{$lmao}" name="lmao" type="text">
EOD;
if a " character gets into the variable, it will result in poo, and also a data loss on re-submission.
I could, of course:
preg_replace('/"/', '',$lmao);
But what if I wanted to keep that quote?
回答1:
All user-inputted data that is being output within HTML attributes should be run through htmlspecialchars. This encodes quotes and other characters:
echo '<input value="'.htmlspecialchars($lmao).'" name="lmao" type="text">';
来源:https://stackoverflow.com/questions/11707953/how-do-i-escape-quotes-for-html-input-using-php