ID: 50743 Updated by: ras...@php.net Reported By: eric at sharecorp dot com -Status: Open +Status: Feedback Bug Type: Strings related Operating System: Linux PHP Version: 5.2.12 New Comment:
Are you sure? mysql> select * from users where name=rlerdorf; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '��rlerdorf��' at line 1 mysql> select * from users where name="rlerdorf"; Empty set (0.03 sec) As far as I can tell, MySQL does not treat those odd quotes as regular quotes anywhere. Please provide a standalone test case along with your MySQL version that shows this. Previous Comments: ------------------------------------------------------------------------ [2010-01-13 18:19:59] eric at sharecorp dot com Description: ------------ None of the escaping functions are able to properly handle style quotes, which are produced by default by open office. Functions that I have tested include mysql_real_escape_string, htmlentities, addslashes and addcslashes. This behavior causes text insertion into mysql to fail as it interprets these quotes as normal double quotes. Reproduce code: --------------- $title = $_POST['title']; $date = $_POST['date']; $tagline = $_POST['tagline']; $article =nl2br(htmlentities($_POST['article'],ENT_QUOTES)); //<snip of some file handling> $query = "INSERT INTO news (title, date, tagline, article, image, image_orig) VALUES ('$title', '$date', '$tagline', '$article', '$image',$image_orig')" Expected result: ---------------- The should be caught, escaped properly and not affecting the query. In this case $article was the varible containing the quotes in question. Actual result: -------------- All text after the opening quote is dropped from the data inserted into the query. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50743&edit=1