Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End PHP Quotes Within MYSQL results

  • This topic is empty.
Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #181124
    Anonymous
    Inactive

    Im getting results from the mysql database and echoing them within meta tags like this

    <meta name="<?php echo $row['DESCRIPTION']; ?>" />

    But when the description text contains quotes “”, PHP takes the quotes and maybe other symbols as actual code. How can i prevent this? I think this is how mysql injections happen.

    #181128
    __
    Participant

    I think this is how mysql injections happen.

    Same idea, but different arena: this is HTML injection (better known as XSS (Cross-Site Scripting)).*

    * side note: it’s not PHP that is doing the “interpreting,” here. PHP just prints it. After that, we’re worried about how the browser interprets it.

    You need to encode the quotes, so they are displayed as quotes (and not interpreted as delimiters). Read up on htmlspecialchars, particularly the usage of the various flags.

    #181186
    Anonymous
    Inactive

    That did the trick. Thanks

    #181191
    Anonymous
    Inactive

    Although while i’m here, these unknown characters show up in my HTML � is there a PHP function that replaces them or somehow fixes the unknown characters?

    #181214
    __
    Participant

    That’s a character encoding issue. You need to make sure that your http Content-Type header specifies the same charset you’re actually using. It looks like this content is from a database, so you’d also need to make sure that the character encoding used in the DB (and the DB connection) matches as well.

    I don’t know what encoding you are actually using, but the best choice is UTF-8.

    Whether of not you can “fix” it depends on if it is a valid character being displayed incorrectly, or if it was saved incorrectly. Does the character appear in your DB? You could use show create table{table_name_goes_here}; to see what charset the table is using. How to set the connection charset depends on what API you’re using.

    #181261
    Anonymous
    Inactive

    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />

    thats the charset i’m using and on the database the character is displayed correctly.

    ®

    Thats the character that comes unknown on the website, but not on the database

    #181267
    __
    Participant

    There’s one little “catch” with using a meta tag for the charset: If the server also sends an HTTP header with a charset, almost all browsers will ignore the charset you declare in the markup. Do you know/ can you find out what your HTTP headers say (there are plugins for Chrome and FireFox that list the headers for you)?

    Or, if you want to link to your site, I could check real quick.

    ®

    Cool. Did you find out what charset your database uses?

    #181286
    Anonymous
    Inactive

    Heres the link to the page with the showing the unknown characters. I’m sure there are more characters that will come up in the future but these are the ones showing up now http://5starmovies.io/movie.php?id=15

    Where do i enter show create table{table_name_goes_here}; In the mysql query in phpmyadmin?

    #181288
    __
    Participant

    Here’s what your page’s response headers look like:

    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 01 Sep 2014 04:38:57 GMT
    Content-Type: text/html
    Content-Length: 4229
    Connection: keep-alive
    Keep-Alive: timeout=15
    X-Mod-Pagespeed: 1.7.30.4-3847
    Vary: Accept-Encoding,User-Agent
    Content-Encoding: gzip
    Cache-Control: max-age=0, no-cache
    ngpass_all: 1
    

    If you notice the Content-Type header, there’s no charset defined. Once you determine which charset you’re using, you can actually set that header in your PHP script (overriding the one the server sets automatically).

    header( 'Content-Type: text/html; charset=UTF-8' );
    

    …or whatever charset you turn out to be using.

    Where do i enter show create table{table_name_goes_here}; In the mysql query in phpmyadmin?

    That’ll work. Note; the curly braces are not part of the query. Just put the name of the table there.

    #181318
    Anonymous
    Inactive

    Thanks once again @Traq the charset was latin1 and i changed the html charset and php header charset to that. The characters are displaying.

    Cache-Control: max-age=0, no-cache Is that right? I would want my page to cache but it feels like its already doing it.

    #181328
    __
    Participant

    No problem.

    Cache-Control: max-age=0, no-cache Is that right? I would want my page to cache but it feels like its already doing it.

    PHP automatically sends no-cache headers, since it assumes whatever your script produces is dynamic. If you want your pages to be cached, you’d need to set those headers deliberately as well. Caching is a whole topic unto itself.

    #181337
    Anonymous
    Inactive

    Well the cache is working fine. I clear browser cache and the site does take longer to load the first time. The second time its super quick and the images just appear.

    Also the unknown character was fixed but then others started displaying strangely. Would changing the database charset to UTF-8 fix the issue to both unknown characters?

    #181340
    __
    Participant

    Well the cache is working fine. I clear browser cache and the site does take longer to load the first time. The second time its super quick and the images just appear.

    Ah – cache headers for the page itself have nothing to do with whether or not images are cached.

    Also the unknown character was fixed but then others started displaying strangely. Would changing the database charset to UTF-8 fix the issue to both unknown characters?

    You would need to actually convert your DB; just changing the declared encoding wouldn’t do it on its own. See the accepted answer in this S/O thread for more detailed instructions.

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.