Implementing support for displaying formatted user input in PHP, php formatting_PHP tutorial

PHP implements support for displaying formatted user input, PHP formatting

You can download the file attached to this document on this page, or you can process the characters in the file download This document, available for download, describes how to securely display formatted user input. We'll discuss the dangers of unsanitized output and give a safe way to display formatted output.

No danger of filtering the output

If you just get the user's input and then display it, you might break your output page, as someone could maliciously do in their submitted input box Embed javascript script:

This is my comment.
＜script language="javascript:
alert('Do something bad here!')">.

This way, Even if the user is not malicious, some of your HTML statements will be corrupted, such as a table being interrupted suddenly, or the page being displayed incompletely.


Show only unformatted text

This is the simplest solution, you just display the user-submitted information as unformatted text. Use the htmlspecialchars() function to convert all characters into HTML encoding.

For example, This is a good solution if your users only care about unformatted text content. However, it would be better if you gave it some ability to format.
Formatting with Custom Markup Tags
User's own tags for formatting

You can provide special tags for users to use, for example, you can allow the use of...emphasis,...italics Display, just do a simple search and replace operation: $output = str_replace("", "＜b>", $output);
$output = str_replace("", "＜i>", $output );

A little better, we can allow users to type in some links. For example, the user will be allowed to enter [link="url"]...[/link], and we will convert it to ＜a href="">...＜/a> statement

At this time, We cannot use a simple find and replace, we should use regular expressions for replacement:
$output = ereg_replace('[link="([[:graph:]]+)"]', '＜a href=" \1">', $output);

The execution of ereg_replace() is:
To find the string where [link="..."] appears, use [[:graph:]] means any non-empty character. Please see the related article for regular expressions.


The format_output() function in outputlib.php provides the conversion of these tags. The overall principle is:
Call htmlspecialchars() to convert HTML tags into special encodings, and will not be displayed HTML tags are filtered out,
and then a series of our custom tags are converted into corresponding HTML tags.
Please see the source code below:
＜?php


function format_output($output) {
/**************************************************************************** 
* Takes a raw string ($output) and formats it for output using a special 
* stripped down markup that is similar to HTML 
****************************************************************************/

$ output = htmlspecialchars(stripslashes($output));

/* new paragraph */
$output = str_replace('[p]', '＜p>', $output);

/* bold */
$output = str_replace('', '＜b>', $output);
$output = str_replace('', '＜/b>', $output) ;

/* italics */
$output = str_replace('', '＜i>', $output);
$output = str_replace('', '＜/i>' , $output);

/* preformatted */
$output = str_replace('[pre]', '＜pre>', $output);
$output = str_replace('[ /pre]', '＜/pre>', $output);

/* indented blocks (blockquote) */
$output = str_replace('

', '＜blockquote>', $output); <br />$output = str_replace('

', '＜/blockquote>', $output);

/* anchors */
$output = ereg_replace('[anchor="([[:graph:]]+)"]' , '＜a name="\1">＜/a>', $output);

/* links, note we try to prevent javascript in links */
$output = str_replace( '[link="javascript', '[link=" javascript', $output);
$output = ereg_replace('[link="([[:graph:]]+)"]', '＜a href="\1">', $output);
$output = str_replace('[/link]', '＜/a>', $output);

return nl2br($ output);
}

?>

Some things to note:

Remember to replace the custom tag to generate the HTML tag string by calling htmlspecialchars() function, not before this call, otherwise your hard work will be wasted after calling htmlspecialchars().

After conversion, the search HTML code will be replaced, such as the double quotation mark "will become"

nl2br() function converts the carriage return and line feed character into a

When converting [links=""] to
outputlib.php
Call test.php in the browser, you can see the usage of format_output()

Normal HTML tags cannot be used, replace them with the following special tags It:

- this is bold
- this is italics
- this is [link="http://www.phpbuilder.com"]a link[/link]
- this is [anchor="test"]an anchor, and a [link="#test"]link[/link] to the anchor

[p]paragraph
[pre]pre-formatted[ /pre]

交错文本

These are just a few tags, of course, you can feel free to add more tags according to your needs

Conclusion
Conclusion

This discussion is provided to safe display users The input method can be used in the following programs

Message Board
User Suggestions
System Announcement
BBS System

Detailed description: http://php.662p.com/thread-343-1-1.html

PHP makes a web page to support users to upload pictures and display them How to achieve

Front desk:
f0056769eec12d6d75815f4def1ab43b
2cadc1dfb75ef927580e2710cd18608f
f5a47148e367a6035fd7a2faa965022e
Backend:
$pic_data = $_FILES["myFile"]["tmp_name"];
$pic_size = $_FILES[" myFile"]["size"];
$filepic = addslashes(fread(fopen($pic_data, "rb"), $pic_size ));
Just add the statement to insert into the database, such as ："insert into pic(id,picture) values(1,$filepic)"
Display picture:
header("Content-type:image/jpeg");
Connect to database
$result =mysql_query("select * from pic where id=1");
$myrow=mysql_fetch_array($result);
echo ($myrow["picture"]);

How to format numbers in PHP?

PHP’s function for formatting numbers is number_format

I suggest you download a PHP manual, or read online manuals.

www.itlearner.com/code/php/

About its usage is as follows:

Syntax: string number_format(float number, int [decimals], string [dec_point ], string [thousands_sep]);

Return value: String

Function type: Mathematical operation

Content description

This function is used to convert floating Point parameter number format. If the parameter decimals is not added, only the integer part of the returned string will be returned. If this parameter is added, the number of decimal points specified by the parameter will be returned. The parameter dec_point represents the decimal point representation method. The default value is ".". If you need to convert to other decimal points, you can change this parameter. The parameter thousands_sep is the separator character for every three digits in the integer part. The default value is ",". The most special thing about this function is the number of parameters. There must be at least one, which is the string to be formatted; it can also have two or four parameters, but three parameters cannot be used. Please note that the numbers after the specified decimal point are discarded directly without rounding.

Usage Example

1465e6f997787a168b954ac095e0d42f

http://www.bkjia.com/PHPjc/840767.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/840767.htmlTechArticlePHP implements support for displaying formatted user input. For php formatting, you can download the accompanying document on this page. file, you can also download this file in the character processing in file download...