#50743 [Bgs]: No escape function escapes properly
ID: 50743 Updated by: ras...@php.net Reported By: eric at sharecorp dot com Status: Bogus Bug Type: Strings related Operating System: Linux PHP Version: 5.2.12 New Comment: mysql_real_escape_string() does take the character set of the connection into account. I also tested your script, with a slight change. You forgot to pass 'UTF-8' to your htmlentities call: Input: __ handler.php ___ SQL for creating news2 _ REATE TABLE IF NOT EXISTS `news2` ( `id` int(11) NOT NULL auto_increment, `title` varchar(40) collate utf8_unicode_ci NOT NULL, `date` date NOT NULL, `tagline` varchar(120) collate utf8_unicode_ci NOT NULL, `article` text collate utf8_unicode_ci NOT NULL, `image` int(11) NOT NULL, `image_orig` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=44 ; _ Demo text __ We are pleased to announce our improved website. We've updated it to have a cleaner, more modern look, improved existing features and added some new features as well. Let's take a quick tour of the Products section. The first thing you'll notice when you click on the Products link is that the product categories have been updated. This is now consistent with our 2010 Color Catalog. The second thing that you'll notice is that the products may not be listed alphabetically in their respective categories. The products are now ranked by the most clicked on to least clicked on. In other words, our most popular products are listed at the top of each category. A third thing you may notice is that there's an Equipment section. All of the products listed in the Color Catalog's Equipment section can now be found here along with a picture. ___ The insertion of the above text falters after "Let's take a quick tour of the" and nothing else posts. [2010-01-13 18:25:35] ras...@php.net Are you sure? mysql> select * from users where name=rlerdorf; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��rlerdorf��' at line 1 mysql> select * from users where name="rlerdorf"; Empty set (0.03 sec) As far as I can tell, MySQL does not treat those odd quotes as regular quotes anywhere. Please provide a standalone test case along with your MySQL version that shows this. [2010-01-13 18:19:59] eric at sharecorp dot com Description: None of the escaping functions are able to properly handle style quotes, which are produced by default by open office. Functions that I have tested include mysql_real_escape_string, htmlentities, addslashes and addcslashes. This behavior causes text insertion into mysql to fail as it interprets these quotes as normal double quotes. Reproduce code: --- $title = $_POST['title']; $date = $_POST['date']; $tagline = $_POST['tagline']; $article =nl2br(htmlentities($_POST['article'],ENT_QUOTES)); // $query = "INSERT INTO news (title, date, tagline, article, image, image_orig) VALUES ('$title', '$date', '$tagline', '$article', '$image',$image_orig')" Expected result: The should be caught, escaped properly and not affecting the query. In this case $article was the varible containing the quotes in question. Actual result: -- All text after the opening quote is dropped from the data inserted into the query. -- Edit this bug report at http://bugs.php.net/?id=50743&edit=1
#50743 [Bgs]: No escape function escapes properly
ID: 50743 User updated by: eric at sharecorp dot com Reported By: eric at sharecorp dot com Status: Bogus Bug Type: Strings related Operating System: Linux PHP Version: 5.2.12 New Comment: What about mysql_real_escape_string, should that function not catch these types of inputs? Previous Comments: [2010-01-14 10:20:51] j...@php.net htmlentities() is not unicode aware in PHP 5.x. Use the mbstring / iconv functions to deal with such strings. [2010-01-13 18:54:05] eric at sharecorp dot com Mysql version 5.0.84-r1 from gentoo portage. Stand alone example follows: form.php _ Input: __ handler.php ___ SQL for creating news2 _ REATE TABLE IF NOT EXISTS `news2` ( `id` int(11) NOT NULL auto_increment, `title` varchar(40) collate utf8_unicode_ci NOT NULL, `date` date NOT NULL, `tagline` varchar(120) collate utf8_unicode_ci NOT NULL, `article` text collate utf8_unicode_ci NOT NULL, `image` int(11) NOT NULL, `image_orig` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=44 ; _ Demo text __ We are pleased to announce our improved website. We've updated it to have a cleaner, more modern look, improved existing features and added some new features as well. Let's take a quick tour of the Products section. The first thing you'll notice when you click on the Products link is that the product categories have been updated. This is now consistent with our 2010 Color Catalog. The second thing that you'll notice is that the products may not be listed alphabetically in their respective categories. The products are now ranked by the most clicked on to least clicked on. In other words, our most popular products are listed at the top of each category. A third thing you may notice is that there's an Equipment section. All of the products listed in the Color Catalog's Equipment section can now be found here along with a picture. ___ The insertion of the above text falters after "Let's take a quick tour of the" and nothing else posts. [2010-01-13 18:25:35] ras...@php.net Are you sure? mysql> select * from users where name=rlerdorf; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��rlerdorf��' at line 1 mysql> select * from users where name="rlerdorf"; Empty set (0.03 sec) As far as I can tell, MySQL does not treat those odd quotes as regular quotes anywhere. Please provide a standalone test case along with your MySQL version that shows this. [2010-01-13 18:19:59] eric at sharecorp dot com Description: None of the escaping functions are able to properly handle style quotes, which are produced by default by open office. Functions that I have tested include mysql_real_escape_string, htmlentities, addslashes and addcslashes. This behavior causes text insertion into mysql to fail as it interprets these quotes as normal double quotes. Reproduce code: --- $title = $_POST['title']; $date = $_POST['date']; $tagline = $_POST['tagline']; $article =nl2br(htmlentities($_POST['article'],ENT_QUOTES)); // $query = "INSERT INTO news (title, date, tagline, article, image, image_orig) VALUES ('$title', '$date', '$tagline', '$article', '$image',$image_orig')" Expected result: The should be caught, escaped properly and not affecting the query. In this case $article was the varible containing the quotes in question. Actual result: -- All text after the opening quote is dropped from the data inserted into the query. -- Edit this bug report at http://bugs.php.net/?id=50743&edit=1