#50743 [Bgs]: No escape function escapes properly

2010-01-14 Thread rasmus 
 ID:   50743
 Updated by:   ras...@php.net
 Reported By:  eric at sharecorp dot com
 Status:   Bogus
 Bug Type: Strings related
 Operating System: Linux
 PHP Version:  5.2.12
 New Comment:

mysql_real_escape_string() does take the character set of the 
connection into account.  I also tested your script, with a slight 
change.  You forgot to pass 'UTF-8' to your htmlentities call:



Input: 




__
handler.php
___


SQL for creating news2
_
REATE TABLE IF NOT EXISTS `news2` (
  `id` int(11) NOT NULL auto_increment,
  `title` varchar(40) collate utf8_unicode_ci NOT NULL,
  `date` date NOT NULL,
  `tagline` varchar(120) collate utf8_unicode_ci NOT NULL,
  `article` text collate utf8_unicode_ci NOT NULL,
  `image` int(11) NOT NULL,
  `image_orig` int(11) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
AUTO_INCREMENT=44 ;
_
Demo text
__
We are pleased to announce our improved website.  We've updated it to
have a cleaner, more modern look, improved existing features and added
some new features as well.

Let's take a quick tour of the “Products” section.  The first thing
you'll notice when you click on the “Products” link is that the product
categories have been updated.  This is now consistent with our 2010
Color Catalog.  The second thing that you'll notice is that the products
may not be listed alphabetically in their respective categories.  The
products are now ranked by the most clicked on to least clicked on.  In
other words, our most popular products are listed at the top of each
category.  A third thing you may notice is that there's an “Equipment”
section.  All of the products listed in the Color Catalog's Equipment
section can now be found here along with a picture.  
___
The insertion of the above text falters after "Let's take a quick tour
of the" and nothing else posts.



[2010-01-13 18:25:35] ras...@php.net

Are you sure?

mysql> select * from users where name=“rlerdorf”;
ERROR 1064 (42000): You have an error in your SQL syntax; check the 
manual that corresponds to your MySQL server version for the right 
syntax to use near '��rlerdorf��' at line
1
mysql> select * from users where name="“rlerdorf”";
Empty set (0.03 sec)

As far as I can tell, MySQL does not treat those odd quotes as regular

quotes anywhere.

Please provide a standalone test case along with your MySQL version 
that shows this.



[2010-01-13 18:19:59] eric at sharecorp dot com

Description:

None of the escaping functions are able to properly handle “” style
quotes, which are produced by default by open office.  Functions that I
have tested include mysql_real_escape_string, htmlentities, addslashes
and addcslashes.  This behavior causes text insertion into mysql to fail
as it interprets these quotes as normal double quotes.


 

Reproduce code:
---
$title = $_POST['title'];
$date = $_POST['date'];
$tagline = $_POST['tagline'];
$article =nl2br(htmlentities($_POST['article'],ENT_QUOTES));
//
 $query = "INSERT INTO news (title, date, tagline, article, image,
image_orig) VALUES ('$title', '$date', '$tagline', '$article',
'$image',$image_orig')"



Expected result:

The “” should be caught, escaped properly and not affecting the query.
In this case $article was the varible containing the quotes in question.

Actual result:
--
All text after the opening quote is dropped from the data inserted into
the query.





-- 
Edit this bug report at http://bugs.php.net/?id=50743&edit=1

#50743 [Bgs]: No escape function escapes properly

2010-01-14 Thread eric at sharecorp dot com 
 ID:   50743
 User updated by:  eric at sharecorp dot com
 Reported By:  eric at sharecorp dot com
 Status:   Bogus
 Bug Type: Strings related
 Operating System: Linux
 PHP Version:  5.2.12
 New Comment:

What about mysql_real_escape_string, should that function not catch
these types of inputs?


Previous Comments:


[2010-01-14 10:20:51] j...@php.net

htmlentities() is not unicode aware in PHP 5.x. Use the mbstring /
iconv functions to deal with such strings.



[2010-01-13 18:54:05] eric at sharecorp dot com

Mysql version 5.0.84-r1 from gentoo portage.
Stand alone example follows:
form.php
_



Input: 




__
handler.php
___


SQL for creating news2
_
REATE TABLE IF NOT EXISTS `news2` (
  `id` int(11) NOT NULL auto_increment,
  `title` varchar(40) collate utf8_unicode_ci NOT NULL,
  `date` date NOT NULL,
  `tagline` varchar(120) collate utf8_unicode_ci NOT NULL,
  `article` text collate utf8_unicode_ci NOT NULL,
  `image` int(11) NOT NULL,
  `image_orig` int(11) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
AUTO_INCREMENT=44 ;
_
Demo text
__
We are pleased to announce our improved website.  We've updated it to
have a cleaner, more modern look, improved existing features and added
some new features as well.

Let's take a quick tour of the “Products” section.  The first thing
you'll notice when you click on the “Products” link is that the product
categories have been updated.  This is now consistent with our 2010
Color Catalog.  The second thing that you'll notice is that the products
may not be listed alphabetically in their respective categories.  The
products are now ranked by the most clicked on to least clicked on.  In
other words, our most popular products are listed at the top of each
category.  A third thing you may notice is that there's an “Equipment”
section.  All of the products listed in the Color Catalog's Equipment
section can now be found here along with a picture.  
___
The insertion of the above text falters after "Let's take a quick tour
of the" and nothing else posts.



[2010-01-13 18:25:35] ras...@php.net

Are you sure?

mysql> select * from users where name=“rlerdorf”;
ERROR 1064 (42000): You have an error in your SQL syntax; check the 
manual that corresponds to your MySQL server version for the right 
syntax to use near '��rlerdorf��' at line
1
mysql> select * from users where name="“rlerdorf”";
Empty set (0.03 sec)

As far as I can tell, MySQL does not treat those odd quotes as regular

quotes anywhere.

Please provide a standalone test case along with your MySQL version 
that shows this.



[2010-01-13 18:19:59] eric at sharecorp dot com

Description:

None of the escaping functions are able to properly handle “” style
quotes, which are produced by default by open office.  Functions that I
have tested include mysql_real_escape_string, htmlentities, addslashes
and addcslashes.  This behavior causes text insertion into mysql to fail
as it interprets these quotes as normal double quotes.


 

Reproduce code:
---
$title = $_POST['title'];
$date = $_POST['date'];
$tagline = $_POST['tagline'];
$article =nl2br(htmlentities($_POST['article'],ENT_QUOTES));
//
 $query = "INSERT INTO news (title, date, tagline, article, image,
image_orig) VALUES ('$title', '$date', '$tagline', '$article',
'$image',$image_orig')"



Expected result:

The “” should be caught, escaped properly and not affecting the query.
In this case $article was the varible containing the quotes in question.

Actual result:
--
All text after the opening quote is dropped from the data inserted into
the query.





-- 
Edit this bug report at http://bugs.php.net/?id=50743&edit=1