-3

I have this bit of code here which is part of a php login form which take a user's first and last name and a password.

$first_name  = SANITIZE(trim(strtolower(@$_POST["f_name"])));    
$last_name  = SANITIZE(trim(strtolower(@$_POST["l_name"])));

These work fine on desktop for any kind of name but on mobile there seems to be an issue with names that have either a ' or a - in them. So for example Shaquille O'Neal can log in just fine on desktop with his first and last name, but if he tries to log in with mobile something happens with the apostrophe in his name and it says the user doesn't exist. Any ideas why this might happen? Has been tested on both iphone and android phones with the same result.

Spyder Tech
  • 67
  • 1
  • 2
  • 12

2 Answers2

-1

Try getting the character codes and comparing with the database.

Although ASCII only has one code for single quote (not counting back quote) UTF character sets have multiple ones. Similar for '-'. Mobile devices with "smart" keyboards may susbstitute what they think is a more grammatically correct letter.

Previously I wrote this which is wrong:

If this is the case you fix this by specifying that your webserver (at least for the login page) only wants ASCII with the header:

Accept: text/html;charset=US-ASCII, text/plain;charset=US-ASCII

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • You're probably right about the problem being the substitution of a straight quote with a typographic apostrophe, but the suggestion to use an `Accept` header is very very wrong. That's a *request* header. The server can't use it to describe what it will accept in subsequent requests. – Quentin Feb 16 '23 at 21:58
  • 1
    Doh - need coffee - yes. Maybe run the POST vars through mb_convert_encoding() ? Needs testing. – symcbean Feb 16 '23 at 22:05
  • 1
    Oh....and don't sanitize input: https://stackoverflow.com/questions/27206373/how-to-sanitize-data-coming-out-of-a-database – symcbean Feb 16 '23 at 22:09
  • I really wish I didn't have to use sanitize but when I take it away o'neil can't login on desktop OR mobile. I am going to try running the post through mb_convert_encoding() because I had suspected it might be the character set of desktop vs mobile. – Spyder Tech Feb 16 '23 at 22:19
  • _"I really wish I didn't have to use sanitize but when I take it away o'neil can't login on desktop OR mobile."_ - that would probably be because you did not handle your data correctly for inserting into an SQL query. But whatever `SANITIZE` does, is likely not the correct way to handle that. If you are not using prepared statements already like you really should be doing these days, your rewrite should start with that. – CBroe Feb 17 '23 at 09:35
-1

Try testing this with htmlspecialchars(). Sometimes special characters don’t play nice when entering data into forms or displaying it from a database.

Tanislav Ivanov
  • 1
  • 1
  • They question is about comparing the submission to data in a database, not inserting it into an HTML document. Encoding the character as HTML isn't going to make it match. – Quentin Feb 16 '23 at 22:09