0

Sorry to ask this question, Im sure this question has been asked, but because I dont know the name of this symbol ' I cant really search.

The problem, I have a mysql database with text in it those text might have something like this (Hi I've no idea how to fix this). Once I query that text using php and echo on html, it display this.

Hi I�ve no idea how to fix this

Code:

$sql = mysqli_query($connection,"SELECT Something FROM something WHERE ID = '1';");
$row = mysqli_fetch_object($sql);
$description = $row->DESCRIPTION;


<p style="margin-top: 3%">
   <?php echo$description?>
</p>
  • 4
    use htmlentities or htmlspecialchars – Alive to die - Anant May 09 '18 at 12:40
  • What character encoding is your code editor set to? – James May 09 '18 at 12:42
  • UTF-8 if thats what you mean –  May 09 '18 at 12:43
  • Yeah, IMO an apostrophe doesn't need htmlspecialchars or htmlentities, it's standard char – James May 09 '18 at 12:44
  • what charset is your DB storing that value? – James May 09 '18 at 12:45
  • @James I though so too, but for some reason its not displays it. Its storing as Text –  May 09 '18 at 12:46
  • `htmlentities()` with ENT_QUOTES will resolve the issue in output, but this is fixing an issue downstream that should be resolved at the core. If this is a mismatch between encoding somewhere you'll get this in more places and be forever running around putting bandages over everything in output. what is the "Collation" by running this on your DB? `SHOW TABLE STATUS FROM DBNAME` (change DBNAME to your db name) – James May 09 '18 at 12:52
  • 1
    Possible duplicate of [PHP output showing little black diamonds with a question mark](https://stackoverflow.com/questions/275411/php-output-showing-little-black-diamonds-with-a-question-mark) – James May 09 '18 at 13:00

2 Answers2

2

Always try to set MySQL encoding to UTF-8 as a first step. It will solve most of the issue.

At PHP end you can do like this:-

mysqli_set_charset($connection, "utf8")

If above not used then

Either You have to use htmlentities()

<?php echo htmlentities($description);?>

Or you have to use htmlspecialchars()

<?php echo htmlspecialchars($description, ENT_QUOTES);?>
Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
  • 1
    Thanks for the solution it worked. By the end of it I didnt need to use neither htmlentities() nor htmlspecialchars() all I needed was mysqli_set_charset($connection, "utf8"). Thank you for the help. I never used to set mysql to utf8. Thanks learned something new :) –  May 09 '18 at 13:02
  • Hmm, not sure you should be advising just to change to utf-8 - maybe they need something different or specific? Maybe this will have problems - without investigating this would be impossible to determine. Throwing such commands out can be dangerous imo – James May 09 '18 at 13:03
  • @James sorry to ask, but what could be the problem? –  May 09 '18 at 13:05
  • changing your entire DB charset isn't something you just do usually. Depends on your DB size, data etc. Seems it's worked for you so no probs I guess. Just be careful running such commands without first investigating *exactly* what it will change to be sure you're not breaking something. ie is this a single db with a small table, maybe you're just developing it now, or is it in production with tons of client data..etc. This was not known when advised to change your charset, so just be careful running commands found on the internet :) – James May 09 '18 at 13:08
  • @James thanks to let me know. I was in the impression that it would change the output of the data, but not the database itself. So that mean my database is now running on utf-8? I dont know if thats good or bad –  May 09 '18 at 13:14
0

Take a look at mysqli_real_escape_string

It should help you with your issue and also improve security of your script (SQL injections). htmlentities() should also help.

Edit: As mentioned in the comments: Instead of mysqli_real_escape_string, it is actually even more secure to use prepared statements.

Matthias Bö
  • 449
  • 3
  • 12
  • 2
    mysqli_real_escape_string is a halfway solution. You should always use a prepared statement with bind variables – rypskar May 09 '18 at 12:47
  • @rypskar Hmmm, I use prepared statements if I want to execute the same statement multiple times, just with different parameters. If I want to run it just once, I use mysqli_real_escape_string. Does a prepared statement provide better performance for a single execution? – Matthias Bö May 09 '18 at 12:49
  • 1
    `mysqli_real_escape_string` is not necessarily secure. Why not have a base class/function for simple queries that uses prepared statements and takes a variable or array, and re-use it ;) – James May 09 '18 at 12:55
  • Thanks for clarification @James . It's just what I have learned at uni: Prepared statements for multiple queries of same format, escaping for single query. But then the stuff you learn at uni is not always that practically relevant I guess... ;) I'll update my answer. – Matthias Bö May 09 '18 at 12:58
  • No probs :) If the code from course work I've seen in Stack Overflow is anything to go by, no they don't always teach great code lol – James May 09 '18 at 12:59