PHP Quotes Within MYSQL results

[Anonymous]

Im getting results from the mysql database and echoing them within meta tags like this

<meta name="<?php echo $row['DESCRIPTION']; ?>" />

But when the description text contains quotes “”, PHP takes the quotes and maybe other symbols as actual code. How can i prevent this? I think this is how mysql injections happen.

[__]

I think this is how mysql injections happen.

Same idea, but different arena: this is HTML injection (better known as XSS (Cross-Site Scripting)).*

* side note: it’s not PHP that is doing the “interpreting,” here. PHP just prints it. After that, we’re worried about how the browser interprets it.

You need to encode the quotes, so they are displayed as quotes (and not interpreted as delimiters). Read up on htmlspecialchars, particularly the usage of the various flags.

[Anonymous]

That did the trick. Thanks

[Anonymous]

Although while i’m here, these unknown characters show up in my HTML � is there a PHP function that replaces them or somehow fixes the unknown characters?

[__]

That’s a character encoding issue. You need to make sure that your http Content-Type header specifies the same charset you’re actually using. It looks like this content is from a database, so you’d also need to make sure that the character encoding used in the DB (and the DB connection) matches as well.

I don’t know what encoding you are actually using, but the best choice is UTF-8.

Whether of not you can “fix” it depends on if it is a valid character being displayed incorrectly, or if it was saved incorrectly. Does the � character appear in your DB? You could use show create table{table_name_goes_here}; to see what charset the table is using. How to set the connection charset depends on what API you’re using.

[Anonymous]

<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />

thats the charset i’m using and on the database the character is displayed correctly.

®

Thats the character that comes unknown on the website, but not on the database

[__]

There’s one little “catch” with using a meta tag for the charset: If the server also sends an HTTP header with a charset, almost all browsers will ignore the charset you declare in the markup. Do you know/ can you find out what your HTTP headers say (there are plugins for Chrome and FireFox that list the headers for you)?

Or, if you want to link to your site, I could check real quick.

®

Cool. Did you find out what charset your database uses?

[Anonymous]

Heres the link to the page with the showing the unknown characters. I’m sure there are more characters that will come up in the future but these are the ones showing up now http://5starmovies.io/movie.php?id=15

Where do i enter show create table{table_name_goes_here}; In the mysql query in phpmyadmin?

[__]

Here’s what your page’s response headers look like:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 01 Sep 2014 04:38:57 GMT
Content-Type: text/html
Content-Length: 4229
Connection: keep-alive
Keep-Alive: timeout=15
X-Mod-Pagespeed: 1.7.30.4-3847
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=0, no-cache
ngpass_all: 1

If you notice the Content-Type header, there’s no charset defined. Once you determine which charset you’re using, you can actually set that header in your PHP script (overriding the one the server sets automatically).

header( 'Content-Type: text/html; charset=UTF-8' );

…or whatever charset you turn out to be using.

Where do i enter show create table{table_name_goes_here}; In the mysql query in phpmyadmin?

That’ll work. Note; the curly braces are not part of the query. Just put the name of the table there.

[Anonymous]

Thanks once again @Traq the charset was latin1 and i changed the html charset and php header charset to that. The characters are displaying.

Cache-Control: max-age=0, no-cache Is that right? I would want my page to cache but it feels like its already doing it.

[__]

No problem.

Cache-Control: max-age=0, no-cache Is that right? I would want my page to cache but it feels like its already doing it.

PHP automatically sends no-cache headers, since it assumes whatever your script produces is dynamic. If you want your pages to be cached, you’d need to set those headers deliberately as well. Caching is a whole topic unto itself.

[Anonymous]

Well the cache is working fine. I clear browser cache and the site does take longer to load the first time. The second time its super quick and the images just appear.

Also the unknown character was fixed but then others started displaying strangely. Would changing the database charset to UTF-8 fix the issue to both unknown characters?

[__]

Well the cache is working fine. I clear browser cache and the site does take longer to load the first time. The second time its super quick and the images just appear.

Ah – cache headers for the page itself have nothing to do with whether or not images are cached.

Also the unknown character was fixed but then others started displaying strangely. Would changing the database charset to UTF-8 fix the issue to both unknown characters?

You would need to actually convert your DB; just changing the declared encoding wouldn’t do it on its own. See the accepted answer in this S/O thread for more detailed instructions.

[Author]

Posts