strip替换为strip_tags,允许在sql中使用<,<=,> =,> - 正则表达式?
I'm using wp-db.php on a non-Wordpress site which allows a apply_filters function to be used. I initially did this:
function apply_filters($type, $input) {
return strip_tags($input);
}
I want to stop html from being saved. I thought I fixed the problem but then noticed that sql queries that included things like <= weren't working.
What I want it to do is to strip tags that begin with a character e.g. <b... but if there is a space or equals sign after the bracket e.g. < or <= then it shouldn't remove it.
I found this code but it doesn't work how I want it to:
preg_replace('/<[^>]*>/', '', $input);
e.g.
<b>test</b> abc <= def < ok? ilj >= xyz >
gets returned as:
test abc = xyz >
it should only remove <x...> where x is not a space or equals sign and remove </....>
BTW I noticed that < script> doesn't work so I think it's ok for < with a space after to stay.
Only the first tag is valid:
<b>1</b> <0b>2</0b> < b>3</ > <'b>4</'b> <(>5</(> <=>6</=>
This non-greedy regex removes the valid and closing tags:
/<[^(=\d' )].*?>/g
in php:
preg_replace('/<[^(=\d\' )].*?>/', '', $input);
I had those other tags due to sql like:
col1 < 10
col2 <10
col3 <'2010-10-10'
col4 <(SELECT col5...)
col5 <=20
You can use some preg_match string to perform the operation. But it's not sure that it will work on all the custom strings. So you can use the htmlspecialchars function which will change the
> is >
< is <
You can get more about the function here
http://www.w3schools.com/html/html_entities.asp
After that apply the strip_tags than it will work for you.
So you have to go with preg_match function. Try this one.
preg_replace("# <(?![/a-z]) | (?<=\s)>(?![a-z]) #exi", "htmlentities('$0')", $html);