我在PHP中有一个评论系统,当用户在textarea中键入换行符时,它显示为rn(注意:我正在清理此输入并使用htmlentities(),并且我有自定义标记)
这是我当前的代码(包括尝试更换换行符):
$comment_content =stripslashes(str_replace('\r\n', '@//', mysql_real_escape_string($_POST['comment_content'])));
$comment_content = htmlentities($comment_content);
$comment_content = mysql_real_escape_string(str_replace("====", "<span class=".$bold.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("===", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~~", "<span class=".$italic.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("~~", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("++++", "<span class=".$big.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("+++", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("___", "<span class=".$underline.">", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("__", "</span>", $comment_content));
$comment_content = mysql_real_escape_string(str_replace("@//", "<br>", $comment_content));
$comment_content = comment_sanitize($comment_content);
这就是我消毒的方式:
function sanitize($sql, $formUse = true) {
$sql = preg_replace("/(from|script|src|select|insert|delete|where|drop table|show tables|`|,|'|\*|\\\\)/i","",$sql);
$sql = trim($sql);
if(!$formUse || !get_magic_quotes_gpc()) {
$sql = addslashes($sql);
}
return $sql;
}
有什么想法吗?
答案 0 :(得分:1)
您在输入途中不使用htmlentities,而是在输出中使用它。您应该转义输入到数据库中,然后在输出上显示换行符:
nl2br(htmlentities($comment));