Posted by Ben Ramsey on 10/09/96 11:24

Please always reply to the list so that others can benefit from the
exchange. As it happens, I'm not exactly very knowledgeable about
character sets, so someone on the list may be able to offer more help
with regard to the problem you're experiencing.

-Ben


areguera wrote:
> On 8/19/05, Ben Ramsey <ramsey@php.net> wrote:
>
>>Alain Reguera Delgado wrote:
>>
>>>you could try:
>>>
>>>1. get all form variables into an array
>>
>>fine
>>
>>
>>>2. validate values
>>
>>Good, but do this step as you put the values into a separate array,
>>don't put all the values into the array first and then validate them
>>later... make sure the input received is input expected and then save
>>only the input to the array that passes the validation/filtering tests
>
>
> yes .. that's much better .. :)
>
>
>>>3. convert all values into entities using htmlentities()
>>
>>Why do you want to do this before saving to the database?
>
>
> Ben, I got some troubles when moving database from one server to
> another, all Latin characters disappear, and the info turns a mess.
> Thought for a moment a server's language configuration setting. I was
> wondering by days to take this way, I thought if someone else wants
> the application and occurs the same because his configuration is not
> like mine. Then that solution came to me. Felt no matter what version
> or configuration of mysql or other db is used or what latin char is
> inserted, the data always be there for the web, in the language it
> speaks.
>
> This step has
>
>>absolutely no bearing on preparing the statement for insertion into a
>>database. It won't protect against SQL injection.
>
>
> Also, you will never
>
>>be able to do anything with this data other than use it for HTML output
>>(unless you try to reverse the entities, which seems like an awful lot
>>of work to me).
>
>
> yes, I don't like either...its not flexible.
>
> It's best to save the raw data as entered and escape it
>
>>(with htmlentities() or something else) ONLY on output.
>
>
> that was the first way I used to go... but after that problem, I am not sure
>
>
>>As I mentioned in my last post to this thread, the best way to escape a
>>string for insertion into a database (and protect against SQL injection)
>>is to use the escape function for the particular database --
>>mysql_real_escape_string() in this case. You should never use
>>htmlentities() to escape data before saving it to a database. Do that
>>only after you've pulled data from the database and are outputting it
>>somewhere (like on a Web page).
>>
>>
>>>4. build sql query (do some tests 'til get it right)
>>>5. execute the built query (with proper db function)
>>>
>>>by now, commas aren't a problem, they are limited between sql query's
>>>quotes. If some quotes are inserted as value they are previously
>>>converted to its entities and do not break the sql query.
>>
>>This is why you use mysql_real_escape_string(), etc. -- not htmlentities().
>>
>>
>>>as previously said in this thread, the problem is on quoting and maybe
>>>on converting the values to entities, to prevent some quote break the
>>>sql structure.
>>
>>You don't need to convert the values to HTML entities when saving to a
>>database. That's not going to prevent this problem.
>
>
> could you suggest something about Latin characters and portability?.
>
> Thanks for your time Ben. I am new in the list and in php too. Thanks
> for your answers.

[Back to original message]