我正在尝试处理可能包含单引号和其他特殊字符的文本.如果用单引号括起来,则不会继续.所以我试图将单引号字符串括在双引号字符串中.
我已经检查了以前的线程.
这是代码:
<?PHP function clean($string) { eval('$string = "'.$string.'";'); $string = str_replace(' ',' ',$string); // Replaces all spaces with hyphens. return preg_replace('/[^A-Za-z0-9 @\-]/','',$string); // Removes special chars. } $d = clean('this was readlly n'ice 'test for@me to') ; echo $d;
评估线有什么问题?
我正在处理用户推文,发布有两个目的.
>存储到MysqL表中. (MysqLi_real_escape)没有帮助
>将每个字符串处理为文本以进行匹配和POS(词性)标记.
由于文字中的这些字符,我卡住了.所以在我开始处理之前尝试删除它.
更新:
检查一下,这里我已经在使用MysqLi_real_escape_String,即使脚本在达到此目的时停止
... mention-179 May Thanks @ShaleMarkets @01Finser @52York @AB_CutRock @AFSPG @AJSmith222 @AlbertaEnergy @andymartin @annemullettamg @APGQ_officiel-440929408564477952-Tue Mar 04 19:18:57 +0000 2014-19:03:572014:03:04201403Adnan Aftab Nizamani0131 mention-180 Thank you for @ShaleMarkets,to promoting,thank you very much for an award. Glad to have been able to help you :)-440897048963850240-Tue Mar 04 17:10:22 +0000 2014-17:03:222014:03:04201403♘-₭ℜi℘-0582 mention-181 @ShaleMarkets https://t.co/aM8liykQqR-440890009273393152-Tue Mar 04 16:42:24 +0000 2014-16:03:242014:03:04201403Bre Burey018
提到181有什么不对,所以它被卡住了?这是代码
foreach ($tweets1 as $item) { $count = $count + 1; $text = $item->text; //echo $userid.$text; $text_id = $item->id; $constant = 'mention'; $time = $item->created_at; //echo $time; //$dt = new DateTime('@' . strtotime($time)); $dt = \DateTime::createFromFormat('D M d H:i:s e Y',$time); //var_dump($dt); $tweet_time = $dt->format('H:m:s'); $tweet_dtm = $dt->format('Y:m:d'); $year = $dt->format('Y'); $month = $dt->format('m'); $user_name = $item->user->name; // echo $year.$month.$user_name; $inreplyto = $item->in_reply_to_screen_name; $rt_count = $item->retweet_count; $follower_count = $item->user->followers_count; echo $constant."-".$count."<br>".$text."-".$text_id."-".$time."-".$tweet_time.$tweet_dtm.$year.$month.$user_name.$rt_count.$follower_count."<br>"; echo "<br>"; $con = MysqLi_connect('127.0.0.1','root','root'); if (MysqLi_connect_errno()) { echo "Failed to connect to MysqL: " . MysqLi_connect_error(); return; } $text = MysqLi_real_escape_string($con,$text); $insertQuery1 = "INSERT INTO twitter_mention(`username`,`userid`,`tweet_text`,`text_id`,`time`,`month`,`year`,`date`,`user_follower_count`,`rt_count`,`constant`,`in_reply_to`) VALUES ('".$twitteruser."','".$userid."','".$text."','".$text_id."','".$tweet_time."','".$month."','".$year."','".$tweet_dtm."','".$follower_count."','".$rt_count."','".$constant."','".$inreplyto."')"; if (!MysqLi_query($con,$insertQuery1)) { // die('Error: ' . MysqLi_error($con)); // echo "error"; }
始终使用上下文转义
如果没有任何关于它的内容的背景,你不能一般地“清理”数据.不要尝试构建单个函数来处理所有可能的情况.只是不要.没有用.在你的函数中,你试图通过删除某些字符来“清理”字符串.您无法通过删除一组字符来清理字符串.这个想法是有缺陷的,因为你总是不得不允许使用一些在某些语法或其他语法中特殊的字符.
相反,根据将要使用的上下文处理字符串.例如:
>如果要在SQL查询中使用此字符串,则必须使用预准备语句(或mysqli_real_escape_string()
)来正确转义数据.
>如果要在HTML标记中输出此值,则需要使用htmlspecialchars()
来转义数据.
>如果要将其用作命令行参数,则需要使用escapeshellcmd()
或escapeshellarg()
.
进一步阅读:
> Security.SE — What’s the best way to sanitize user input in PHP?
> What’s the best method for sanitizing user input with PHP?
> Does eliminating dangerous characters avoid SQL-injection?