php - real_escape_string not cleaning up entered text -


i thought proper way "sanitize" incoming data html form before entering mysql database use real_escape_string on in php script, this:

$newsstoryheadline = $_post['newsstoryheadline']; $newsstoryheadline = $mysqli->real_escape_string($newsstoryheadline); $storydate = $_post['storydate']; $storydate = $mysqli->real_escape_string($storydate); $storysource = $_post['storysource']; $storysource = $mysqli->real_escape_string($storysource); // etc. 

and once that's done insert data db this:

$mysqli->query("insert newsstoriestable (headline, date, dateadded, source, storycopy) values ('".$newsstoryheadline."', '".$storydate."', '".$dateadded."', '".$storysource."', '".$storytext."')"); 

so thought doing take care of cleaning invisible "junk" characters may coming in submitted text.

however, pasted text copied web-page html form, clicked "submit" - ran above script , inserted text db - when read text back db, discovered piece of text did still have junk characters in it, such –.
, junk characters of course caused php script wrote retrieves information db crash.

so doing wrong?

is using real_escape_string not way go here? or should using in conjunction else? or, there should doing (like more escaping) when reading reading data out the mysql database?

(i should mention i'm objective-c developer, not php/mysql developer, i've unfortunately been given task db stuff - hence question...) thanks!

your assumption wrong. mysqli_real_escape_string’s intention escape characters resulting string can safely used in mysql string literal. that’s it, nothing more, nothing less.

the result should passed data retained, including ‘junk’. if don’t want ‘junk’ in database, need detect, validate, or filter before passing to mysql.

in case, ‘junk’ seems due different character encodings: input data seems encoded utf-8 while it’s later displayed using windows-1250. in scenario, character (u+2013) encoded 0xe28093 in utf-8 represent 3 characters â, , , in windows-1250. properly declaring document’s encoding fix this.


Comments

Popular posts from this blog

css - Which browser returns the correct result for getBoundingClientRect of an SVG element? -

gcc - Calling fftR4() in c from assembly -

.htaccess - Matching full URL in RewriteCond -