1

I'm trying to save the contents of a WYSIWYG input into an Oracle database. Here's what I'm using:

$data = htmlentities($_POST['data'], ENT_QUOTES, "UTF-8");

My expectation is that when I'm going to put John's as the value for the input, it will be saved on the database as John's, but instead it is being saved as John'.

To me it looks like a double HTML entity encoding issue.

Can you help me fix this?

dokgu
  • 4,957
  • 3
  • 39
  • 77
  • i suspect it's oracle escaping characters, however, to make sure try to `var_dump($data)` (also, `var_dump($_POST['data'])`) and look for it's output to be sure. – Bagus Tesa Dec 03 '15 at 19:41
  • Maybe the WYSIWYG is converting it once? Why do you need to encode `'`s to their entity, hopefully not to avoid SQL injections? – chris85 Dec 03 '15 at 19:48
  • @chris85 What's the general practice in saving the contents of a WYSIWYG input? – dokgu Dec 03 '15 at 19:51
  • It depends what the WYSIWYG is set up to send and how you are going to use that output later. Your user input shouldn't go directly into a SQL query though. – chris85 Dec 03 '15 at 19:54
  • @chris85 I at least know that part that's why I'm using `htmlentities`. The only reason why I'm trying to escape `'` is because on my query I use single quotes to denote strings. – dokgu Dec 03 '15 at 19:57
  • Use parameterized queries; or use an already defined escaping function. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – chris85 Dec 03 '15 at 20:29

1 Answers1

0

Browsing through the documentation, I noticed that the last parameter is a boolean for double encoding.

$data = htmlentities($_POST['data'], ENT_QUOTES, "UTF-8", false);

did the trick.

dokgu
  • 4,957
  • 3
  • 39
  • 77