Using PHP, what is the best way to store special characters (like the following) in a MSQUL database, to avoid injections.
« " ' é à ù
This is how I do it now:
$book_text=$_POST['book_text'];
$book_text=htmlentities($book_text, "ENT_QUOTES");
$query=//DB query to insert the text
Then:
$query=//DB query to select the text
$fetch=//The fetch of $book_text
$book_text=html_entity_decode($book_text);
This way, all my text is formatted in HTML entities. But I think this takes up a lot of database space. So, is there a better way?
Use utf8
encoding to store these values.
To avoid injections use mysql_real_escape_string()
(or prepared statements).
To protect from XSS use htmlspecialchars
.
It sounds like your question can be generalised to handling and storing UTF8 with PHP and MySQL.
To be safe from SQL injections, you should use prepared statements. The mysqli and PDO drivers both support them.
Prepared statements are automatically quoted by the driver, so you don't need to worry about this.
Your database tables should be created with the character set utf8
and the utf8_general_ci
collation. These my.cnf settings will ensure your MySQL server runs UTF8 all through:
[mysqld]
default-character-set=utf8
default-collation=utf8_general_ci
character-set-server=utf8
collation-server=utf8_general_ci
init-connect='SET NAMES utf8'
[client]
default-character-set=utf8
Be aware that PHP is generally unaware of UTF-8, so you should take care to use either iconv
or mbstring
libraries for string handling. See PHPWACT for a good overview.
Make sure PHP's internal character set is set to unicode
iconv_set_encoding('internal_encoding', 'UTF-8');
mb_internal_encoding('UTF-8');
You should also make sure the browser knows the encoding by sending either the correct header or adding a <meta>
tag for charset.
That should do it.
yes utf8 encoding...
also you can use Prepared Statements if you are worried a lot about injections...
http://www.linearchat.co.uk/2011/08/why-prepared-statements-in-mysql-are-a-good-thing/
also
http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html
Your question is a fine collection of confusions. You managed to confuse everything.
Let's try to sort it out.
Using PHP, what is the best way to store special characters (like the following) in a MSQUL database, to avoid injections.
These are incomparable matters. Storing special chars is one matter and avoiding injections is another. completely different one.
$book_text=htmlentities($book_text, "ENT_QUOTES");
this is most funny part. although it is intended to protect your queries, it's actually does nothing. Because instead of constant ENT_QUOTES which value is 3 you are using string ENT_QUOTES which numeric value is 0, so, you are setting no flag.
But even if you set this flag correctly, it won't automatically protect you. Because an injection code may contain no special chars.
To avoid injections, you have to follow whole set of rules, not one simple function "make_my_data_safe()". There is no magic wand.
See this my answer for the details.
As for the specialchars, it's simple. The only problem that there are NO solid special chars set. There are different special chars for the different environments.
- ' have meaning for the database and HTML
- <> have meaning for the HTML only
- é à ù have meaning for the HTML only, depends on the encoding.
you have you use different formatting rules for the every case. Different, not a single one for all.
to use é à ù chars with HTML you have to set proper HTTP header.
to use é à ù with database you have to set your table encoding to utf8 and connection encoding to utf 8.