-- Sytem is MySQL, PHP, Apache and the code is built around the Codeigniter Framework
EDIT FOR CLARITY: I am not storing data, I am trying to retrieve data that was stored some years ago (badly as escaped data). In the database the name Fred' is stored as Fred' yet when I convert Fred' using htmlspecialcahrs it comes out as Fred'. My question is what do I need to do to make Fred' convert to Fred' and any other equivalents?
Original Question
I've inherited a database from another system (Invision Power Board to be exact). The site is now custom coded using Codeigniter but is using the same member database from the old Invision Power Board site.
I've now discovered a problem where by if a user has an apostrophe in their name e.g. "Fred'" codeigniter's built in html_escape function (which just uses htmlspecialchars) converts it to Fred'
Yet in the database the name is saved as: Fred' and thus the lookup fails.
I'm not sure what Invision Power Board was doing to the string before inserting it into the database, but does anyone have any idea how I could ensure that it is converted to ' instead of ' ?
Simply saying do a str_replace or change the data in the db is not useful as there are hundreds of possibilities for what could be in a users name. A quick search for users with a # in their name (presumably a special char) shows up 440 users who are currently unable to login due to this bug in our site.
EDIT: Fixed some formatting to remove ";" so it doesn't just display an apostrophe
You can use preg_replace() to remove 0's from php generated string before comparison:
$string = 'Fred'';
$string = preg_replace('/�+([1-9]+)/', '&#$1', $string);
var_dump(str_split($string));
// str_split to show real result
Related
I'm having some problems displaying strings with html entity on the web browser.
Currently i'm working on one system where string (e.g. file name) containing some html spec chars like single quotes could be stored to database encoded as html entity.
When i fetch that record from database and want to display that "file name" on page it shows me the same text.
For example:
filename in database: exampleFileName'
i want to display on page: exampleFileName'
I know that there is php functions such as html_entity_decode() and etc.
But i think it would be stupid to use it everywhere where i'm passing this string to html view.
Application is created using Zend Framework 2 and it's using Doctrine2 ORM.
Does doctrine can't handle this ? I mean is it possible somehow to get that string from database already decoded as normal text?
Or maybe it's something wrong with database default collation (utf8_swedish_ci)?
Finally,
what are the best practices for storing such kind of strings (with single quotes) into database ?
I would be really grateful for some answers.
Thank you.
I am building a web application which will run in electron with angular as a frontend framework and laravel as a backend framework. In the application it's possible to login with a smartcard (thanks to node-pcsclite), it reads the bytes on the smartcard and then I convert them.
The smartcard contains a code which is linked to the staff table in my MSSQL database. I can retrieve the code from the smartcard and I can log into the application when it uses mysql as database server.
Now when I'm trying to do the same but with mssql, I get an error which should be viewed in html mode instead of the error page itself.
(The code can be alphanumeric)
So it adds all these strange characters (probably non-existing characters), not that much of a problem right? At least, that's what I thought. So I tried to fix it by using this code inside my laravel controller:
preg_replace('/[^A-Za-z0-9\-]/', '', $string);
This didn't solve anything. Then I thought I might have a problem with the query, so I ran SQL Profiler, the problem is that (probably because of the special characters) the query is broken.
select top 1 * from [Staff] where [CodeInit] = '
go
So does anyone know how to really remove the strange characters?
If you need more information feel free to ask.
I had this problem and landed to this question when searching for a solution. I was unable to find any fix.
The string with non-printable characters retrieved from mdecrypt_generic() so I wanted a way to remove those characters. When I copy and paste the retrieved value from browser to Brackets text editor, it show these red dots.
I just pasted it to google and then it was encoded to %10. Nothing helped till now, so as a temporary solution I just used rtrim() to remove those dots.
Copy the dot in brackets and replace with "DOT_HERE".
rtrim(rtrim($pvp, "DOT_HERE"), "\0\4");
"\0\4" will remove only nulls and EOT but not that dot character(%10).
Further here is a screenshot with that red dot. You can use Brackets text editor to see this.
Note that $pvp is the decrypted text.
One of the systems I look after receives daily csv files from a third party. Recently the integration stopped working. I managed to pinpoint root the cause - the curly apostrophe. Once replaced with a regular one import files got processed successfully.
Third party system that generates these files is one of the Microsoft products, MS Access I think. System that receive and process these files is written in PHP on MySql database.
And here are the questions I would like to ask here:
- is this PHP or MySql that does not 'like' this character?
- are there any more characters of this kind that php/mysql would have issue processing?
I am not sure what "curly apostrophe" is, but if it's usual apostrophe (like in "it's") - yes, it does, as it is used as a string delimiter in MySQL.
If it's some other charecter - then it doesn't have any special meaning in PHP.
Anyway, you have to always format SQL query parts according to their role, to avoid whatever syntax errors.
Please refer to my earlier answer on the matter: In PHP when submitting strings to the database should I take care of illegal characters
I'm working with a client to convert his Access database into a MySQL one. He also has a website linked to the database...here is where the problem lies:
The fields in the database have too many whitespaces. EX: Instead of having space like this:
4.0L Engine
the spacing is like this:
4.0L Engine
This causes browsers like IE and Firefox to throw an error because it looks like they are displaying the incorrect amount of whitespace.
I know one solution is to go in and manually fix the whitespacing but it has 1000's of records and it will waste too much time.
I'm using CodeIgniter for his website to select the values from the database. Is there anyway I can make CodeIgniter, IE, and Firefox display the correct number of whtiespaces or automate the process of correcting the whitespaces without manually doing them?
Thanks,
Dro Sarhadian
Edit: Here is an example of an actual string in the database:
3.2L 196 OHV ENG - 1956-65 (CAST IRON ENG)
and here is how it's shown in firefox/IE
3.2L 196 OHV ENG - 1956-65 (CAST IRON ENG)
I've never heard of an error being thrown because of white space, but you could always create a script that
pulls down the record from the database
manipulates the data through regular expressions -- looking for extra white space and replacing it with the correct white space
then updates the record in the database
If you loop through all of the records, this would only need to be done once. Then the data in the database is as you intend.
I am using codeigniter in an app. There is a form. In the textarea element, I wrote something including
%Features%
However, when I want to echo this by $this->input->post(key), I get something like
�atures%
The '%Fe' are vanished.
In main index.php file of CI, I tried var_dump($_POST) and I see the above word is fully ok. but when I am fetching it with the input library (xss filtering is on) I get the problem.
When the XSS filtering is off, it appears ok initially. however, if I store it in database and show next time, I see same problem (even the xss filtering is off).
%Fe happens to look like a URL-encoded sequence %FE, representing character 254. It's being munched into the Unicode "I have no idea what that sequence means" glyph, �.
It's clear that the "XSS filter" is being over-zealous when decoding the field on submission.
It's also very likely that a URL-decode is being run again at some point later in the process, when you output the result from the database. Check the database to make sure that the actual string is being represented properly.
First: Escape the variables before storing them into db. % has special meaning in SQL.
Second: % also has special meaning in URLs eg. %20 is %FE will map to some character which will be decoded by input()