ID: 50743
Updated by: [email protected]
Reported By: eric at sharecorp dot com
-Status: Open
+Status: Bogus
Bug Type: Strings related
Operating System: Linux
PHP Version: 5.2.12
New Comment:
htmlentities() is not unicode aware in PHP 5.x. Use the mbstring /
iconv functions to deal with such strings.
Previous Comments:
------------------------------------------------------------------------
[2010-01-13 18:54:05] eric at sharecorp dot com
Mysql version 5.0.84-r1 from gentoo portage.
Stand alone example follows:
form.php
_____________________________________________________
<html>
<form action="handler.php" method="post">
Input: <textarea name="article" rows="5" cols="75"></textarea>
<input type="submit" name="submit" value="Add News">
</form>
</html>
______________________________________________
handler.php
_______________________________________________
<?
$host="127.0.0.1";
$user="user";
$dbpassword="password";
$db="db";
$connection = mysql_connect($host,$user,$dbpassword) or die("Couldn't
connect");
$db=mysql_select_db($db);
$article = nl2br(htmlentities($_POST['article'],ENT_QUOTES));
$query = "INSERT INTO news2 (title, date, tagline, article, image,
image_orig) VALUES ('testing', '01-13-2010', 'testing', '$article', '0',
'0')";
mysql_query($query) or die("couldn't execute query".mysql_error());
?>
____________________________________________________________________
SQL for creating news2
_____________________________________________________________________
REATE TABLE IF NOT EXISTS `news2` (
`id` int(11) NOT NULL auto_increment,
`title` varchar(40) collate utf8_unicode_ci NOT NULL,
`date` date NOT NULL,
`tagline` varchar(120) collate utf8_unicode_ci NOT NULL,
`article` text collate utf8_unicode_ci NOT NULL,
`image` int(11) NOT NULL,
`image_orig` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
AUTO_INCREMENT=44 ;
_____________________________________________________________________
Demo text
__________________________________________________________________
We are pleased to announce our improved website. We've updated it to
have a cleaner, more modern look, improved existing features and added
some new features as well.
Let's take a quick tour of the Products section. The first thing
you'll notice when you click on the Products link is that the product
categories have been updated. This is now consistent with our 2010
Color Catalog. The second thing that you'll notice is that the products
may not be listed alphabetically in their respective categories. The
products are now ranked by the most clicked on to least clicked on. In
other words, our most popular products are listed at the top of each
category. A third thing you may notice is that there's an Equipment
section. All of the products listed in the Color Catalog's Equipment
section can now be found here along with a picture.
___________________________________________________________
The insertion of the above text falters after "Let's take a quick tour
of the" and nothing else posts.
------------------------------------------------------------------------
[2010-01-13 18:25:35] [email protected]
Are you sure?
mysql> select * from users where name=rlerdorf;
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near '��rlerdorf��' at line
1
mysql> select * from users where name="rlerdorf";
Empty set (0.03 sec)
As far as I can tell, MySQL does not treat those odd quotes as regular
quotes anywhere.
Please provide a standalone test case along with your MySQL version
that shows this.
------------------------------------------------------------------------
[2010-01-13 18:19:59] eric at sharecorp dot com
Description:
------------
None of the escaping functions are able to properly handle style
quotes, which are produced by default by open office. Functions that I
have tested include mysql_real_escape_string, htmlentities, addslashes
and addcslashes. This behavior causes text insertion into mysql to fail
as it interprets these quotes as normal double quotes.
Reproduce code:
---------------
$title = $_POST['title'];
$date = $_POST['date'];
$tagline = $_POST['tagline'];
$article =nl2br(htmlentities($_POST['article'],ENT_QUOTES));
//<snip of some file handling>
$query = "INSERT INTO news (title, date, tagline, article, image,
image_orig) VALUES ('$title', '$date', '$tagline', '$article',
'$image',$image_orig')"
Expected result:
----------------
The should be caught, escaped properly and not affecting the query.
In this case $article was the varible containing the quotes in question.
Actual result:
--------------
All text after the opening quote is dropped from the data inserted into
the query.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50743&edit=1
