ID: 50743
Updated by: [email protected]
Reported By: eric at sharecorp dot com
-Status: Open
+Status: Feedback
Bug Type: Strings related
Operating System: Linux
PHP Version: 5.2.12
New Comment:
Are you sure?
mysql> select * from users where name=rlerdorf;
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near '��rlerdorf��' at line
1
mysql> select * from users where name="rlerdorf";
Empty set (0.03 sec)
As far as I can tell, MySQL does not treat those odd quotes as regular
quotes anywhere.
Please provide a standalone test case along with your MySQL version
that shows this.
Previous Comments:
------------------------------------------------------------------------
[2010-01-13 18:19:59] eric at sharecorp dot com
Description:
------------
None of the escaping functions are able to properly handle style
quotes, which are produced by default by open office. Functions that I
have tested include mysql_real_escape_string, htmlentities, addslashes
and addcslashes. This behavior causes text insertion into mysql to fail
as it interprets these quotes as normal double quotes.
Reproduce code:
---------------
$title = $_POST['title'];
$date = $_POST['date'];
$tagline = $_POST['tagline'];
$article =nl2br(htmlentities($_POST['article'],ENT_QUOTES));
//<snip of some file handling>
$query = "INSERT INTO news (title, date, tagline, article, image,
image_orig) VALUES ('$title', '$date', '$tagline', '$article',
'$image',$image_orig')"
Expected result:
----------------
The should be caught, escaped properly and not affecting the query.
In this case $article was the varible containing the quotes in question.
Actual result:
--------------
All text after the opening quote is dropped from the data inserted into
the query.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50743&edit=1
