|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2010-01-13 18:19 UTC] eric at sharecorp dot com
Description:
------------
None of the escaping functions are able to properly handle ?? style quotes, which are produced by default by open office. Functions that I have tested include mysql_real_escape_string, htmlentities, addslashes and addcslashes. This behavior causes text insertion into mysql to fail as it interprets these quotes as normal double quotes.
Reproduce code:
---------------
$title = $_POST['title'];
$date = $_POST['date'];
$tagline = $_POST['tagline'];
$article =nl2br(htmlentities($_POST['article'],ENT_QUOTES));
//<snip of some file handling>
$query = "INSERT INTO news (title, date, tagline, article, image, image_orig) VALUES ('$title', '$date', '$tagline', '$article', '$image',$image_orig')"
Expected result:
----------------
The ?? should be caught, escaped properly and not affecting the query. In this case $article was the varible containing the quotes in question.
Actual result:
--------------
All text after the opening quote is dropped from the data inserted into the query.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 27 03:01:29 2024 UTC |
Mysql version 5.0.84-r1 from gentoo portage. Stand alone example follows: form.php _____________________________________________________ <html> <form action="handler.php" method="post"> Input: <textarea name="article" rows="5" cols="75"></textarea> <input type="submit" name="submit" value="Add News"> </form> </html> ______________________________________________ handler.php _______________________________________________ <? $host="127.0.0.1"; $user="user"; $dbpassword="password"; $db="db"; $connection = mysql_connect($host,$user,$dbpassword) or die("Couldn't connect"); $db=mysql_select_db($db); $article = nl2br(htmlentities($_POST['article'],ENT_QUOTES)); $query = "INSERT INTO news2 (title, date, tagline, article, image, image_orig) VALUES ('testing', '01-13-2010', 'testing', '$article', '0', '0')"; mysql_query($query) or die("couldn't execute query".mysql_error()); ?> ____________________________________________________________________ SQL for creating news2 _____________________________________________________________________ REATE TABLE IF NOT EXISTS `news2` ( `id` int(11) NOT NULL auto_increment, `title` varchar(40) collate utf8_unicode_ci NOT NULL, `date` date NOT NULL, `tagline` varchar(120) collate utf8_unicode_ci NOT NULL, `article` text collate utf8_unicode_ci NOT NULL, `image` int(11) NOT NULL, `image_orig` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=44 ; _____________________________________________________________________ Demo text __________________________________________________________________ We are pleased to announce our improved website. We've updated it to have a cleaner, more modern look, improved existing features and added some new features as well. Let's take a quick tour of the ?Products? section. The first thing you'll notice when you click on the ?Products? link is that the product categories have been updated. This is now consistent with our 2010 Color Catalog. The second thing that you'll notice is that the products may not be listed alphabetically in their respective categories. The products are now ranked by the most clicked on to least clicked on. In other words, our most popular products are listed at the top of each category. A third thing you may notice is that there's an ?Equipment? section. All of the products listed in the Color Catalog's Equipment section can now be found here along with a picture. ___________________________________________________________ The insertion of the above text falters after "Let's take a quick tour of the" and nothing else posts.mysql_real_escape_string() does take the character set of the connection into account. I also tested your script, with a slight change. You forgot to pass 'UTF-8' to your htmlentities call: <?php $host="127.0.0.1"; $user="root"; $dbpassword=""; $db="foo"; $connection = mysql_connect($host,$user,$dbpassword) or die("Couldn't connect"); $db=mysql_select_db($db); $article = nl2br(htmlentities("?test?",ENT_QUOTES,'UTF-8')); $query = "INSERT INTO news2 (title, date, tagline, article, image, image_orig) VALUES ('testing', '01-13-2010', 'testing', '$article', '0', '0')"; mysql_query($query) or die("couldn't execute query".mysql_error()); And using the scheme you provided this works fine. A mysqldump on the news2 table shows: INSERT INTO `news2` VALUES (46,'testing','0000-00- 00','testing','“test”',0,0); which is what I would expect. Also, without any escaping, the insert doesn't break and those quotes are not treated as normal quotes. You simply get mojibake in your DB: INSERT INTO `news2` VALUES (49,'testing','0000-00-00','testing','? ??test”',0,0); If you are getting them treated as normal quotes you must have something else going on somewhere in your code. I still see no bug here.