Please always reply to the list so that others can benefit from the
exchange. As it happens, I'm not exactly very knowledgeable about
character sets, so someone on the list may be able to offer more help
with regard to the problem you're experiencing.
-Ben
areguera wrote:
On 8/19/05, Ben Ramsey <ramsey@xxxxxxx> wrote:
Alain Reguera Delgado wrote:
you could try:
1. get all form variables into an array
fine
2. validate values
Good, but do this step as you put the values into a separate array,
don't put all the values into the array first and then validate them
later... make sure the input received is input expected and then save
only the input to the array that passes the validation/filtering tests
yes .. that's much better .. :)
3. convert all values into entities using htmlentities()
Why do you want to do this before saving to the database?
Ben, I got some troubles when moving database from one server to
another, all Latin characters disappear, and the info turns a mess.
Thought for a moment a server's language configuration setting. I was
wondering by days to take this way, I thought if someone else wants
the application and occurs the same because his configuration is not
like mine. Then that solution came to me. Felt no matter what version
or configuration of mysql or other db is used or what latin char is
inserted, the data always be there for the web, in the language it
speaks.
This step has
absolutely no bearing on preparing the statement for insertion into a
database. It won't protect against SQL injection.
Also, you will never
be able to do anything with this data other than use it for HTML output
(unless you try to reverse the entities, which seems like an awful lot
of work to me).
yes, I don't like either...its not flexible.
It's best to save the raw data as entered and escape it
(with htmlentities() or something else) ONLY on output.
that was the first way I used to go... but after that problem, I am not sure
As I mentioned in my last post to this thread, the best way to escape a
string for insertion into a database (and protect against SQL injection)
is to use the escape function for the particular database --
mysql_real_escape_string() in this case. You should never use
htmlentities() to escape data before saving it to a database. Do that
only after you've pulled data from the database and are outputting it
somewhere (like on a Web page).
4. build sql query (do some tests 'til get it right)
5. execute the built query (with proper db function)
by now, commas aren't a problem, they are limited between sql query's
quotes. If some quotes are inserted as value they are previously
converted to its entities and do not break the sql query.
This is why you use mysql_real_escape_string(), etc. -- not htmlentities().
as previously said in this thread, the problem is on quoting and maybe
on converting the values to entities, to prevent some quote break the
sql structure.
You don't need to convert the values to HTML entities when saving to a
database. That's not going to prevent this problem.
could you suggest something about Latin characters and portability?.
Thanks for your time Ben. I am new in the list and in php too. Thanks
for your answers.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
