dsj2222222 2011-12-19 23:13
浏览 11

错误的网址提取

I am getting input from user on my site through a text area. the input may contain <a> TAG.
I want to extract the url from the input.

$res = get_magic_quotes_gpc() ? stripslashes($data) : $data;
$res = mysql_real_escape_string($res); // php 4.3 and higher                
preg_match('#href\s*?=\s*?[\'"]?([^\'"]*)[\'"]?#i', $res, $captures);                
$href = $captures[1];

example

if Input sting is this?

$data = 'any string <a href="http://www.example.com">Any Anchor</a>';

the extracted output becomes

"\"http://www.example.com""

i checked the output after each line, 2 double quotes comes after 

mysql_real_escape_string($res);
  • 写回答

2条回答 默认 最新

  • duanbinian2243 2011-12-19 23:17
    关注

    mysql_real_escape_string should only AND ALWAYS be used when passing user values into MySQL queries. Don't use it for anything else, use the right escaping function for the right task.

    Here, I don't think you need to use an escape function at all. Your regular expression looks fine, I'm confident it will work if you remove the escaping function.

    Also, don't use get_magic_quotes_gpc if you can avoid it. I could explain why but I suppose the fact that it's been deprecated since PHP5.0 is evidence enough. If your host does not allow you to disable it I would consider switching to a more savvy host.

    评论

报告相同问题?