我正在尝试将一些标题保存到wordpress中的mysql数据库,允许双引号和单引号。所以我希望能够插入如下字符串:
A man's dog walked into the bar
The "main reason" it does not work
It's time to announce "The Show" in an hour
我的代码如下:
$question_id = filter_var($_REQUEST['question_id'], FILTER_SANITIZE_NUMBER_INT);
$feedback_correct = preg_replace("/[^a-zA-Z0-9'\"?_\. !&-]+/","",sanitize_text_field($_REQUEST['feedback_correct']));
$feedback_incorrect = preg_replace("/[^a-zA-Z0-9'\"?_\. !&-]+/","",sanitize_text_field($_REQUEST['feedback_incorrect']));
//preg_replace is to strip out any characters we dont want in the title like "<>|}{[]/"
$data = array(
'feedback_correct' => $feedback_correct,
'feedback_incorrect' => $feedback_incorrect
);
$update_feedback = $eot_quiz->updateQuestion($data, $question_id);
updateQuestion函数:
public function updateQuestion($data = array(), $id = 0)
{
global $wpdb;
$result = $wpdb->update(TABLE_QUIZ_QUESTION, $data, array('ID' => $id));
if ($result === false)
{
return false;
}
else
{
return true;
}
}
在访问数据库之后,我的字符串看起来像:
A man
*字符串在单引号后被切断
The "main reason" it does not work
*双引号看起来不错
It
*字符串在单引号后被切断
如何在数据库中正确插入这些字符串?提前致谢。
显示代码:
<?php
$quiz_question = $eot_quiz->get_question_by_id($question_id);
?>
<div class="bs">
<div class="panel panel-default">
<form method="POST" action="#">
<div class="panel-heading">
<h3 class="panel-title"><?= $quiz_question['quiz_question']?></h3>
</div>
<div class="panel-body">
<div class="form-group">
<label for="feedback_correct">Feedback for correct answer</label>
<input type="text" class="form-control" name="feedback_correct" placeholder="Correct Feedback" value='<?= $quiz_question['feedback_correct']?>'>
</div>
<div class="form-group">
<label for="feedback_incorrect">Feedback for incorrect answer</label>
<input type="text" class="form-control" name="feedback_incorrect" placeholder="Incorrect Feedback" value='<?= $quiz_question['feedback_incorrect']?>'>
</div>
<input type='hidden' name='question_id' value="<?= $question_id ?>" />
<input type='hidden' name='quiz_id' value="<?= $quiz_id ?>" />
<input type='hidden' name='subscription_id' value="<?= $subscription_id ?>" />
<input type='hidden' name='feedback' value="true" />
<button type="submit" class="btn btn-default">Update Feedback</button>
</div>
<div class="panel-footer"><a href="/dashboard/?part=update_quiz_questions&question_id=<?= $question_id?>&quiz_id=<?= $quiz_id?>&subscription_id=<?= $subscription_id ?>" class="btn btn-success pull-right">Take me back to the Question</a><div style="clear:both"></div></div>
</form>
</div>
</div>
答案 0 :(得分:1)
在元素属性中任何时候使用esc_attr
:
<input type="text" class="form-control" name="feedback_correct" placeholder="Correct Feedback" value='<?php
//Always escape before echoing to an html attribute
esc_attr($quiz_question['feedback_correct']);
?>'>
答案 1 :(得分:0)
$wpdb
的基类是什么?找出它的逃逸机制并使用它
或者,使用addslashes()
。
请不要尝试使用preg_replace
,否则您可能无法处理所有需要转义的字符。 (这不仅仅是撇号和引用。)