dede str_replace函数如何正确替换字符串内容？

Of course! The str_replace function in PHP is a fundamental and extremely useful tool for string manipulation. Let's break it down in detail.

What is str_replace?

str_replace is a built-in PHP function that finds and replaces all occurrences of a specific string (or substring) within another string.

In simple terms: It scans a piece of text, looks for a "search" word or phrase, and replaces every single instance of it with a "replace" word or phrase.

The Basic Syntax

The function has three required arguments:

str_replace($search, $replace, $subject);

• $search (required): The string you want to find.
• $replace (required): The string you want to replace the $search string with.
• $subject (required): The original string where the search and replacement will happen.

The function returns a new string with the replacements made. The original $subject string is not changed.

Simple Examples

Let's start with the most basic usage.

Example 1: Replacing a single word

$original_string = "Hello World, this is a test.";
// Replace "World" with "PHP"
$new_string = str_replace("World", "PHP", $original_string);
echo $original_string; // Output: Hello World, this is a test.
echo "<br>";
echo $new_string;      // Output: Hello PHP, this is a test.

Example 2: Replacing multiple occurrences

str_replace replaces all occurrences by default.

$sentence = "I have a cat, and my cat is very cute.";
$new_sentence = str_replace("cat", "dog", $sentence);
echo $new_sentence; // Output: I have a dog, and my dog is very cute.

Advanced Usage: Arrays

The real power of str_replace comes into play when you use arrays for the $search and/or $replace arguments.

Case 1: Replacing Multiple Search Terms with a Single Replacement

You can provide an array of strings to search for, and they will all be replaced by the same replacement string.

$original_text = "The quick brown fox jumps over the lazy dog.";
$words_to_remove = ["fox", "dog"];
$replacement = "[animal]";
$new_text = str_replace($words_to_remove, $replacement, $original_text);
echo $new_text;
// Output: The quick brown [animal] jumps over the lazy [animal].

Case 2: Replacing Multiple Search Terms with Different Replacements

This is very common. You provide an array for both $search and $replace. The function will replace the first item in the $search array with the first item in the $replace array, the second with the second, and so on.

Important: The arrays must be of the same length.

$html_content = "<h1>Welcome</h1><p>This is a paragraph.</p>";
$search = ["<h1>", "</h1>", "<p>", "</p>"];
$replace = ["<h2 class='main-title'>", "</h2>", "<div class='content'>", "</div>"];
$new_html = str_replace($search, $replace, $html_content);
echo $new_html;
// Output: <h2 class='main-title'>Welcome</h2><div class='content'>This is a paragraph.</div>

Case-Insensitive Replacement

The standard str_replace function is case-sensitive. This means it will not replace "World" if the string contains "world".

To perform a case-insensitive replacement, you should use str_ireplace(). The "i" stands for "insensitive". Its usage is identical.

$original_string = "Hello World, world is beautiful.";
// str_replace (case-sensitive) will only replace "World"
$result_sensitive = str_replace("World", "PHP", $original_string);
echo $result_sensitive; // Output: Hello PHP, world is beautiful.
// str_ireplace (case-insensitive) will replace both "World" and "world"
$result_insensitive = str_ireplace("world", "PHP", $original_string);
echo $result_insensitive; // Output: Hello PHP, PHP is beautiful.

Return Value and Count Replacements

str_replace returns the new string. However, if you pass a fourth variable (a variable to store the count), it will be populated with the number of replacements made.

$log_message = "User 'admin' logged in. User 'guest' logged out.";
$search = "User";
$replace = "Client";
$count = 0; // Initialize a variable to hold the count
$new_log = str_replace($search, $replace, $log_message, $count);
echo "New Log: " . $new_log . "<br>";
echo "Number of replacements made: " . $count;
/*
Output:
New Log: Client 'admin' logged in. Client 'guest' logged out.
Number of replacements made: 2
*/

Performance and Security Considerations

Performance: str_replace vs. preg_replace

• str_replace: Is much faster because it's a simple, direct string search. It doesn't understand patterns or regular expressions.
• preg_replace: Is slower because it uses regular expressions (PCRE), which are far more powerful but require more processing power.

Rule of thumb: If you are only doing simple, literal string replacement, always use str_replace. Only use preg_replace if you need to match complex patterns (e.g., "replace any 3-digit number" or "replace a word that starts with 'a'").

Security: HTML/Entity Injection

A common mistake is using str_replace to sanitize HTML. For example, replacing <script> with an empty string to prevent XSS attacks.

This is NOT secure! A malicious user could bypass this easily.

// DANGEROUS: This is NOT secure sanitization!
$user_input = "<img src='x' onerror='alert(1)'>";
$safe_input = str_replace("<script>", "", $user_input); // Does nothing to the malicious code
echo $safe_input; // The malicious script will still execute!

How to properly sanitize HTML? If you want to allow HTML but remove potentially dangerous tags/attributes, use a dedicated library like HTML Purifier. If you want to display user input as plain text and prevent all HTML, use htmlspecialchars().

// CORRECT: To display user input as plain text
$user_input = "<b>Hello</b> <script>alert('xss')</script>";
$plain_text_output = htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
echo $plain_text_output;
// Output: &lt;b&gt;Hello&lt;/b&gt; &lt;script&gt;alert('xss')&lt;/script&gt;

Summary Table