PHP supports displaying and formatting user input, and php formatting

PHP supports displaying and formatting user input, and php formatting

You can download the files attached to this document on this page or in character processing of the file download. This document describes how to securely display formatted user input. We will discuss the danger of output without filtering, and provide a safe way to display and format the output.

No risk of filtering output

If you only obtain user input and display it, you may destroy your output page. For example, some people can maliciously embed javascript scripts in the input box they submit:

This is my comment.
<Script language = "javascript:
Alert ('Do something bad here! ') ">.

In this way, even if the user is not malicious, some HTML statements may be damaged, such as a table suddenly interrupted or the page display is incomplete.


Only show unformatted text

This is the simplest solution. You only display the information submitted by users as unformatted text. Use the htmlspecialchars () function to convert all characters into HTML encoding.

For example, if <B> is changed to <B>, this ensures that no unexpected HTML Tag is output when it is inappropriate.
This is a good solution. If your users only pay attention to text content without format. However, if you provide some formatting capabilities, it will be better.
Formatting with Custom Markup Tags
Format your own tags

You can provide special tags for users to use, for example, you can use... aggravated display ,... it is displayed in italic, so that you can simply search for and replace: $ output = str_replace ("", "<B>", $ output );
$ Output = str_replace ("", "<I>", $ output );

In addition, we can allow users to type some links. For example, you can enter [link = "url"]... [/link] and convert it to the <a href = "">... </a> statement.

In this case, we cannot use a simple search replacement. We should replace it with a regular expression:
$ Output = ereg_replace ('\ [link = "([: graph:] +)" \]', '<a href = "\ 1"> ', $ output );

The execution of ereg_replace () is:
Search for the string that appears [link = "..."] and replace it with <a href = "...">
[[: Graph:] indicates any non-null characters. For more information about regular expressions, see related articles.


The format_output () function in outputlib. php provides the conversion of these tags. The general principle is:
Call htmlspecialchars () to convert the HTML tag to a special encoding, and filter out the HTML Tag that should not be displayed,
Then, convert a series of custom tags into corresponding HTML tags.
See the following source code:
<? Php


Function format_output ($ output ){
/*************************************** *************************************
* Takes a raw string ($ output) and formats it for output using a special
* Stripped down markup that is similar to HTML
**************************************** ************************************/

$ Output = htmlspecialchars (stripslashes ($ output ));

/* New paragraph */
$ Output = str_replace ('[p]', '<p>', $ output );

/* Bold */
$ Output = str_replace ('', '<B>', $ output );
$ Output = str_replace ('', '</B>', $ output );

/* Italics */
$ Output = str_replace ('', '<I>', $ output );
$ Output = str_replace ('', '</I>', $ output );

/* Preformatted */
$ Output = str_replace ('[pre]', '<pre>', $ output );
$ Output = str_replace ('[/pre]', '</pre>', $ output );

/* Indented blocks (blockquote )*/
$ Output = str_replace ('

', '＜blockquote>', $output); 
$output = str_replace('

',' </Blockquote> ', $ output );

/* Anchors */
$ Output = ereg_replace ('\ [anchor = "([[: graph:] +)" \]', '<a name = "\ 1"> </a>', $ output );

/* Links, note we try to prevent javascript in links */
$ Output = str_replace ('[link = "javascript', '[link =" javascript', $ output );
$ Output = ereg_replace ('\ [link = "([: graph:] +)" \]', '<a href = "\ 1"> ', $ output );
$ Output = str_replace ('[/link]', '</a>', $ output );

Return nl2br ($ output );
}

?>

Notes:

Remember to replace the custom tag to generate an HTML Tag string after you call the htmlspecialchars () function, instead of before calling this function. Otherwise, your hard work will go far after you call htmlspecialchars.

After conversion, the HTML code to be searched will be replaced, for example, double quotation marks will become"

The nl2br () function converts the carriage return linefeed to the <br> flag, which is also after htmlspecialchars.

When converting [links = ""] to <a href = "">, make sure that the submitter does not insert a javascript script, A simple method is to change [link = "javascript to [link =" javascript. This method will not be replaced, but will only display the original code.

Outputlib. php
Call test. php In the browser to view the usage of format_output ().

Normal HTML tags cannot be used. replace them with the following special tags:

-This is bold
-This is italics
-This is [link = "http://www.phpbuilder.com"] a link [/link]
-This is [anchor = "test"] an anchor, and a [link = "# test"] link [/link] to the anchor

[P] Paragraph
[Pre] pre-format [/pre]

Staggered text

These are few tags. Of course, you can add more tags as needed.

Conclusion
Conclusion

This discussion provides methods for securely displaying user input, which can be used in the following programs

Message Board
User suggestions
System announcement
BBS system

Http://php.662p.com/thread-343-1-1.html

PHP makes a web page and allows users to upload images and display them. How can this problem be solved?

Front-end:
<Form action = "php_insertpic.php" method = "post" enctype = "multipart/form-data">
<Input type = "file" name = "myFile" id = "myFile"/>
</Form>
Background:
$ Pic_data = $ _ FILES ["myFile"] ["tmp_name"];
$ Pic_size = $ _ FILES ["myFile"] ["size"];
$ Filepic = addslashes (fread (fopen ($ pic_data, "rb"), $ pic_size ));
Insert the statement to the database, for example: "insert into pic (id, picture) values (1, $ filepic )"
Show image:
Header ("Content-type: image/jpeg ");
Connect to database
$ Result = mysql_query ("select * from pic where id = 1 ");
$ Myrow = mysql_fetch_array ($ result );
Echo ($ myrow ["picture"]);

How does PHP format numbers?

The function for formatting numbers in PHP is number_format.

I suggest you download a PHP user manual or read the online manual.

Www.itlearner.com/code/php/

Its usage is as follows:

Syntax: string number_format (float number, int [decimals], string [dec_point], string [thousands_sep]);

Return Value: String

Function Type: mathematical operation

Description

This function is used to format the floating point parameter number. If the decimals parameter is not added, only the integer part of the returned string is added. This parameter is returned based on the number of decimal places specified by the parameter. The dec_point parameter represents the decimal point. The default value is ".". You can change it to another decimal point. The thousands_sep parameter is the separator number of each three digits in the integer part. The default value is ",". The most special part of this function is the number of parameters. There must be at least one, that is, the string to be formatted. There can also be two or four parameters, but not three parameters. Fundraising? Note that the number after the specified decimal point is discarded without rounding.

Example

<?
$ Short_pi = "3.14159 ";
$ My_pi = number_format ($ short_pi, 2 );
Echo $ my_pi. "\ n"; // 3.14
$ Foo = 850017.9021;
$ New_foo = number_format ($ foo, 3 ,".","");
Echo $ new_foo. "\ n"; // 850 017.902
?>