Reputation: 7053
SQL injection and escaping special characters
I accept data from TinyMCE. I get into difficulties when I copy and paste from a site such as this:
http://www.rlslog.net/category/games/pc/
I use the following functions to prevent an SQL injection and escape special characters that if ruin my whole page once I output the inserted text.
$title = mysql_real_escape_string($title);
$data = mysql_real_escape_string($data);
$author= mysql_real_escape_string($author);
$data =htmlentities($data);
$title =htmlentities($title);
$author =htmlentities($author);
mysql_query("SET NAMES 'utf8'");
mysql_query("INSERT INTO `easy_db`.`article` (`Title`, `Article`, `Topics`, `author`, `page`, tpage ) VALUES('$title', '$data', '$topic', '$author', '$page','$tpage')") or die(mysql_error());
mysql_close();
What I get when I output the data is my html text (which isnt the output from the database) looking like that:
כותרת היו×
I turend magic_quotes_gpc off in my php.ini
magic_quotes_gpc
Default Value: Off
Development Value: Off
Production Value: Off
Here is how the text that I put looks like when refering to it in phpmyadmin:
skidrow%2F&layout=standard&show_faces=false&width=450&action=like&colorscheme=light&height=35\" frameborder=\"0\" scrolling=\"no\"></iframe></p>\r\n<p class=\"comments_link\" style=\"padding-top: 20px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; line-height: 19px; margin: 0px;\"><a style=\"color:
c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"Comment on Orcs Must Die Fix-SKIDROW\"
href=\"http://www.rlslog.net/orcs-must-die-fix-skidrow/#respond\">Comments(0)</a></p>\r\n</div>\r\n</div>\r\n<div style=\"padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 40px; margin: 0px;\"><iframe style=\"padding: 0px; margin: 0px;\" src=\"http://www.roadcomponentsdb.com/300.htm\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"NO\" width=\"300\" height=\"250\"></iframe></div>\r\n<p id=\"nextlinks\" style=\"padding-top: 20px; padding-right: 20px; padding-bottom: 0px; padding-left: 20px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Previous post:</strong> <a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.rlslog.net/musclemag-international-%e2%80%93-december-2011-p2p/\">MuscleMag International – December 2011-P2P</a></p>
The question is why is it happening? how do I prevent it? and do I do enough to prevent an sql injection?
Upvotes: 2
Views: 1216
Answers (1)
Reputation: 4291
SET NAMES 'utf8' is altering your data.
Take a look at this MySQL forum link. He provides a fairly good description of what's going on. Short description: the conversion process is confused as to what it should be reading the characters as.
Upvotes: 2
Related Questions
- MySQL escaping special characters
- SQL Injection with an Escaped String?
- Escape characters appearing in MySQL
- SQL injection, real_escape_string, and quoted queries
- escape characters at a mysql query from php
- Escape special characters from the database - MySql
- SQL Injection, Quotes and PHP
- tinymce: apostrophes in editor, faulty mysql post
- php mysql special character escape
- Escaping Characters from MySQL from PHP Framework