0

I have an issue with the special characters. For ex. In the database is written "A & A" (database is set on utf8-unicode-ci). I am retrieving in autosugest list the values correctly with: 

while ($row = mysql_fetch_array($result)) {
  $keywords = htmlspecialchars($row['name']);
 echo "<keywords>". $keywords ."</keywords>";       
}

When I click to select the "A & A" in the input field is filled as A & amp; A

the header is set on :<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> Can you please let me know how to display the special character?

HamZa
  • 14,671
  • 11
  • 54
  • 75
Lilou
  • 179
  • 1
  • 5
  • 14

3 Answers3

4

If you want to convert from A &amp; A to A&A, use htmlspecialchars_decode on the text.
If you want to convert from A&A to A &amp; A use htmlspecialchars.

In your case removing htmlspecialchars operation on the text pulled from your database will do. Since your issue appears to be with the & character being replaced with &amp;, maybe running something like $text = str_replace("&amp;", "&", htmlspecialchars($text)); will work better for you, and prevents XSS.

HamZa
  • 14,671
  • 11
  • 54
  • 75
Jimmie Lin
  • 2,205
  • 2
  • 23
  • 35
  • He doesn't want to convert anything, but he still does which is why he's seeing the &. – Parrotmaster Aug 01 '13 at 08:27
  • You want to promote XSS ? – HamZa Aug 01 '13 at 08:28
  • @HamZa At least be constructive. Saying "Do you want it to break" doesn't tell us anything aside from the fact that it might not work. – Parrotmaster Aug 01 '13 at 08:31
  • @Parrotmaster My bad though, I shouldn't have skimped on the obvious XSS scenario. :p – Jimmie Lin Aug 01 '13 at 08:32
  • @Parrotmaster I'm being constructive, have you ever heard of XSS and how to block it ? – HamZa Aug 01 '13 at 08:32
  • @HamZa Asking "You want to promote XSS" is in no way constructive. You didn't give me any information or pointers, and your statement isn't even a clear question. You could have said something like "Your code will cause a security issue and you should do [code] instead". Yet you chose to be as vague as you possibly could. Next time be more clear. See http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php – Parrotmaster Aug 01 '13 at 08:35
  • @Parrotmaster Sorry to be vague, wasn't my intention :) – HamZa Aug 01 '13 at 08:52
0

If you have "A & A" in the database, htmlspecialchars will do that.

Remove htmlspecialchars.

Parrotmaster
  • 647
  • 1
  • 7
  • 27
  • You want to promote XSS ? – HamZa Aug 01 '13 at 08:27
  • @HamZa What? Stay on topic please. – Parrotmaster Aug 01 '13 at 08:28
  • I'm on topic, why do you think one is using `htmlspecialchars` ? – HamZa Aug 01 '13 at 08:31
  • thanks for all your inputs. If I remove `htmlspecialchars` then in the autosuggest list doesn't appear any name with special chars. also when I add `htmlspecialchars_decode` – Lilou Aug 01 '13 at 08:36
  • 1
    @Lilou I'd recommend using htmlspecialchars to turn your "A & A" into "A & A" before you upload it into the database (or put "A & A" in the database). If you use htmlspecialchars_decode after it will be more secure. See Jimmie Lin's answer. – Parrotmaster Aug 01 '13 at 08:38
  • 1
    Let's take an example of a commenting system. A wild user tries to inject code in a comment like this: ``, when another user opens that section, the database will fetch that comment and display it. Now the other user wil get an alert. This is a really simple case, but hackers could load an iframe or custom exploit. To prevent that, you could use `htmlspecialchars`, it will convert `<>` to `<>` and thus making the script tag not work. Ofcourse, you may argue that one should filter tags from the beginning with [htmlpurifier](http://htmlpurifier.org/). – HamZa Aug 01 '13 at 08:40
  • @HamZa You should put this in an answer (or update Jimmie Lin's answer with this) since it's pretty important information. – Parrotmaster Aug 01 '13 at 08:42
  • @Parrotmaster Yes I agree with you, I can do that for the future inserts, but at the moment in the database there are over 2000 names that most of them have some special characters. – Lilou Aug 01 '13 at 08:43
  • @Parrotmaster I can't since it doesn't solve the OP's problem. – HamZa Aug 01 '13 at 08:44
  • @HamZa But it is important information that is related to the solution, and therefore should be included. – Parrotmaster Aug 01 '13 at 08:50
0

Its better use rawurlencode before you inserting the value to database. Then whenever you fetching the value, use rawurldecode. I think it may solve your problem. 

   rawurldecode($row['name']);

Check this http://php.net/manual/en/function.rawurlencode.php

Shafeeque
  • 2,039
  • 2
  • 13
  • 28
  • Please read the link you have provided. It says `The URL to be encoded.`, so this is by no mean to be used on random data. – HamZa Aug 01 '13 at 08:45
  • 1
    Please provide a compelling reason to use either HTML or URL encoding for data in the database, and specifically why URL encoding beats HTML encoding. – deceze Aug 01 '13 at 08:48
  • This is correct answer, please try to read the documentation. – Anshad Vattapoyil Aug 05 '13 at 10:04