ID: 50743 User updated by: eric at sharecorp dot com Reported By: eric at sharecorp dot com -Status: Feedback +Status: Open Bug Type: Strings related Operating System: Linux PHP Version: 5.2.12 New Comment:
Mysql version 5.0.84-r1 from gentoo portage. Stand alone example follows: form.php _____________________________________________________ <html> <form action="handler.php" method="post"> Input: <textarea name="article" rows="5" cols="75"></textarea> <input type="submit" name="submit" value="Add News"> </form> </html> ______________________________________________ handler.php _______________________________________________ <? $host="127.0.0.1"; $user="user"; $dbpassword="password"; $db="db"; $connection = mysql_connect($host,$user,$dbpassword) or die("Couldn't connect"); $db=mysql_select_db($db); $article = nl2br(htmlentities($_POST['article'],ENT_QUOTES)); $query = "INSERT INTO news2 (title, date, tagline, article, image, image_orig) VALUES ('testing', '01-13-2010', 'testing', '$article', '0', '0')"; mysql_query($query) or die("couldn't execute query".mysql_error()); ?> ____________________________________________________________________ SQL for creating news2 _____________________________________________________________________ REATE TABLE IF NOT EXISTS `news2` ( `id` int(11) NOT NULL auto_increment, `title` varchar(40) collate utf8_unicode_ci NOT NULL, `date` date NOT NULL, `tagline` varchar(120) collate utf8_unicode_ci NOT NULL, `article` text collate utf8_unicode_ci NOT NULL, `image` int(11) NOT NULL, `image_orig` int(11) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=44 ; _____________________________________________________________________ Demo text __________________________________________________________________ We are pleased to announce our improved website. We've updated it to have a cleaner, more modern look, improved existing features and added some new features as well. Let's take a quick tour of the Products section. The first thing you'll notice when you click on the Products link is that the product categories have been updated. This is now consistent with our 2010 Color Catalog. The second thing that you'll notice is that the products may not be listed alphabetically in their respective categories. The products are now ranked by the most clicked on to least clicked on. In other words, our most popular products are listed at the top of each category. A third thing you may notice is that there's an Equipment section. All of the products listed in the Color Catalog's Equipment section can now be found here along with a picture. ___________________________________________________________ The insertion of the above text falters after "Let's take a quick tour of the" and nothing else posts. Previous Comments: ------------------------------------------------------------------------ [2010-01-13 18:25:35] ras...@php.net Are you sure? mysql> select * from users where name=rlerdorf; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��rlerdorf��' at line 1 mysql> select * from users where name="rlerdorf"; Empty set (0.03 sec) As far as I can tell, MySQL does not treat those odd quotes as regular quotes anywhere. Please provide a standalone test case along with your MySQL version that shows this. ------------------------------------------------------------------------ [2010-01-13 18:19:59] eric at sharecorp dot com Description: ------------ None of the escaping functions are able to properly handle style quotes, which are produced by default by open office. Functions that I have tested include mysql_real_escape_string, htmlentities, addslashes and addcslashes. This behavior causes text insertion into mysql to fail as it interprets these quotes as normal double quotes. Reproduce code: --------------- $title = $_POST['title']; $date = $_POST['date']; $tagline = $_POST['tagline']; $article =nl2br(htmlentities($_POST['article'],ENT_QUOTES)); //<snip of some file handling> $query = "INSERT INTO news (title, date, tagline, article, image, image_orig) VALUES ('$title', '$date', '$tagline', '$article', '$image',$image_orig')" Expected result: ---------------- The should be caught, escaped properly and not affecting the query. In this case $article was the varible containing the quotes in question. Actual result: -------------- All text after the opening quote is dropped from the data inserted into the query. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50743&edit=1