1
 $comment= mysql_real_escape_string($comment);

I use this.. But it doesnt help. I use TinyMCE to insert strings to my database, but on selection I get weird characters...

× ×›×ª×‘ על ידי
\\r\\n

\r\n \r\n

Is thre to parse/enode the string before it goes to the database?!? without this happening?

UPDATE:

This is how the text that goes into the database looks like:

   t;div class=\"entry\" style=\"padding-top: 20px; padding-right: 20px; padding-bottom: 10px; padding-left: 20px; margin:

0px;\">\r\n<div class=\"entrymeta\" style=\"padding: 0px; margin: 0px;\">osted on 15.10.2011 at 11:04 in&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"View all posts in Games\" href=\"http://www.rlslog.net/category/games/\" rel=\"category tag\">Games</a>,&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"View all posts in PC\" href=\"http://www.rlslog.net/category/games/pc/\" rel=\"category tag\">PC</a>&nbsp;by&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"Posts by Frado\" href=\"http://www.rlslog.net/author/frado/\">Frado</a></div>\r\n<div class=\"entrybody\" style=\"padding: 0px; margin: 0px;\">\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\">SKIDROW releases a fix for Orcs Must Die, read the NFO for details.</p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Description</strong>: Slice them, burn them, skewer them, and launch them &ndash; no matter how you get it done, orcs must die in this fantasy action-strategy game from Robot Entertainment.As a powerful War Mage with dozens of deadly weapons, spells, and traps at your fingertips, defend twenty-four fortresses from a rampaging mob of beastly enemies, including ogres, hellbats, and of course, a whole bunch of ugly orcs. Battle your enemies through a story-based campaign across multiple difficulty levels, including brutal Nightmare mode!</p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\" align=\"center\"><img style=\"border-width: 1px; border-color: #cccccc; border-style: solid; padding: 5px; margin: 5px;\" src=\"http://i27.lulzimg.com/4a9c85ba50.jpg\" alt=\"\" width=\"493\" height=\"278\" /></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\"><br style=\"padding: 0px; margin: 0px;\" /></strong></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Release name</strong>: Orcs.Must.Die.Fix-SKIDROW<br style=\"padding: 0px; margin: 0px;\" /><strong style=\"padding: 0px; margin: 0px;\">Size</strong>: 39,1 KB<br style=\"padding: 0px; margin: 0px;\" /><strong style=\"padding: 0px; margin: 0px;\">Links</strong>:&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.robotentertainment.com/games/orcsmustdie\">Homepage</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://store.steampowered.com/app/102600/\">Steam</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://uk.pc.ign.com/objects/080/080529.html\">iGN</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.gametrailers.com/game/orcs-must-die/14641\">Gametrailers</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://nfo.rlslog.net/view/29500\">NFO</a></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Download</strong>:&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.filesonic.com/file/2568940201\">FiLESONiC&nbsp;</a>-&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.fileserve.com/file/RsfZMT4\">FiLESERVE</a>&nbsp;&ndash;&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.newtorrents.info/search/Orcs.Must.Die.Fix-SKIDROW\">NTi</a></p>\r\n<p style=\"padding-top: 1em; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; line-height: 19px; margin: 0px;\"><iframe style=\"border-width: initial; border-color: initial; overflow-x: hidden; overflow-y: hidden; width: 450px; height: 35px; border-style: none; padding: 0px; margin: 0px;\" src=\"http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.rlslog.net%2Forcs-must-die-fix-skidrow%2F&amp;layout=standard&amp;show_faces=false&amp;width=450&amp;action=like&amp;colorscheme=light&amp;height=35\" frameborder=\"0\" scrolling=\"no\"></iframe></p>\r\n<p class=\"comments_link\" style=\"padding-top: 20px; padding-right: 0px; padding-bottom: 10px; padding-left: 0px; line-height: 19px; margin: 0px;\"><a style=\"color:

c02e13; text-decoration: none; padding: 0px; margin: 0px;\" title=\"Comment on Orcs Must Die Fix-SKIDROW\"

href=\"http://www.rlslog.net/orcs-must-die-fix-skidrow/#respond\">Comments(0)</a></p>\r\n</div>\r\n</div>\r\n<div style=\"padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 40px; margin: 0px;\"><iframe style=\"padding: 0px; margin: 0px;\" src=\"http://www.roadcomponentsdb.com/300.htm\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"NO\" width=\"300\" height=\"250\"></iframe></div>\r\n<p id=\"nextlinks\" style=\"padding-top: 20px; padding-right: 20px; padding-bottom: 0px; padding-left: 20px; margin: 0px;\"><strong style=\"padding: 0px; margin: 0px;\">Previous post:</strong>&nbsp;<a style=\"color: #c02e13; text-decoration: none; padding: 0px; margin: 0px;\" href=\"http://www.rlslog.net/musclemag-international-%e2%80%93-december-2011-p2p/\">MuscleMag International &ndash; December 2011-P2P</a></p>

Dmitry Makovetskiyd
  • 6,942
  • 32
  • 100
  • 160

4 Answers4

6

Two suggestions:

  1. Ditch the mysql_XXX API. It's going to be scrapped at some point, and it lacks crucial features, most notably parametrized queries. If you don't know what parametrized queries are, go read. They're the only sane way of keeping your SQL connectivity code sane. For PHP, I'd recommend PDO - it's a tad bit less straightforward, but it is well worth the learning curve.
  2. Make sure your charsets / encodings are correct. The easiest thing to do these days is to use Unicode (utf-8) for everything. You need to set the encoding in the database itself (if you can; in MySQL you need to do this per table and per column, which can be quite a hassle if you have to retro-fit it), the connection encoding (just call SET NAMES UTF-8 first thing after you establish a connection), php's internal encoding (mb_internal_encoding), and the output encoding (mb_http_output). Also, make sure you are actually outputting UTF-8; this means that all your source files and templates should also be saved in utf-8 encoding.

And whatever you do: NEVER EVER CONCATENATE OR SUBSTITUTE VALUES INTO QUERIES. Code like this: mysql_query("SELECT * FROM users WHERE USERNAME = '$username'"); should be illegal - there are just too many ways to shoot yourself in the foot with this and introduce SQL injection vulnerabilities. (And if you don't know what SQL injection is, read up on that one too).

Finally; a few hints on how you can debug your situation.

  • set up MySQL query logging. There's a setting in my.ini which will cause the MySQL server to dump all incoming queries into a log file. You don't want to do this on a production server, and you only want to enable it temporarily, but it's a great tool to see what actually gets sent to the server.
  • log into MySQL using the command-line client, and see what it outputs if you fire the same queries manually.
  • debug your PHP - make sure the values you're sending to the server are what you think they are - if you don't have a debugger at hand, peppering your script with print statements is better than nothing (just remember to remove them before committing)
tdammers
  • 20,353
  • 1
  • 39
  • 56
  • mysql_query("SET NAMES 'utf8'"); .. I used that..But it doesnt help much – Dmitry Makovetskiyd Oct 15 '11 at 10:35
  • 2
    @DmitryMakovetskiyd: What makes you think following just one fraction of the advice is going to solve all your problems? – tdammers Oct 15 '11 at 10:38
  • well, the PDO is said not to be able to manipulate data directly against the database..It provides some level of abstraction like transaction begin, commit , rollback . I set my tables as UTF but not the columns..I will try to set get_magic quotes off...I will also try your other advice – Dmitry Makovetskiyd Oct 15 '11 at 10:46
  • it inputs text and html like this:

    99999999999999999

    ..I think one of the tags doesnt get closed so it screws the text which isnt included in the output too..hmmm     – Dmitry Makovetskiyd Oct 15 '11 at 10:49
2

This (additionally) looks like you have magic_quotes_gpcDocs enabled. This is an insecure server setting and it destroys your data.

See also:

Community
  • 1
  • 1
hakre
  • 193,403
  • 52
  • 435
  • 836
0

Use prepared statements instead of escaping and see if that helps. Also check the code pages/ characters sets are correct.

Janick Bernet
  • 20,544
  • 2
  • 29
  • 55
-2

It is very simple actually..

for example suppose i want 2 insert a string "Welcome" in my table then i have to write query like this :

insert into mytable (name) values ('welcome')

if you are insert your record dynamically means in php or any language then write like this

$string = "welcome"; mysql_query("insert into mytable name values ('".$string."')");

and for security purpose also just enable the magic quotes ...please visit for more information

http://www.php.net/manual/en/function.get-magic-quotes-gpc.php

Vishal Barot
  • 1
  • If you turn off quotes then it is insecure......and suppose you dont want to turn it on....then you have to use addslashes function of php while you get the value when page is submit – Vishal Barot Oct 20 '11 at 11:22
  • Wrong. Magic quotes is insecure. It does not escape all characters that can be used to hack a SQL statement. You should also not use `addslashes` because it has the same problem. You need to use `mysql_real_escape_string()` as per the question, or other command specific to the database library that you are using. Do NOT rely on magic quotes to keep you safe; you will get hacked. – Spudley Oct 20 '11 at 14:26