PHP / mySQL-在插入数据库之前如何安全地编码/解码/转义/任何需要的字符串

Question

My problem is this: I have a database where all fields are VARCHAR. Some represent html code. This code contains chars like ◉, ⬛︎, ◔, ➜, ★, ✦, etc. These characters are not encoded on the HTML. They are like you see them here.

Other fields on that database are URLs.

I know I have to escape these chars to prevent sql-injection and also have to encode them to allow insertion on the database.

htmlspecialchars will not handle these symbols because they are not encoded on the source. mysql_escape_string will only escape bars and double quotes, etc.

How do I really encode this and escape in PHP so I can insert this data on the database and how do I read them back?

thanks.

Answer 1

I have found same problem when i insert German string value into varchar type field, string are converted to unreadable characters.

This is the problem of UTF-8, I solve this issue by following thing:

$con = mysqli_connect("localhost","root","root");
mysqli_query($con,"SET NAMES 'utf8'");

I hope it will fix your problem in every fields of your DB.

Answer 2

Use parameterized queries to prevent SQL injection. And use htmlspecialchars() function when you display data in html. With PDO that I love:

$db = new PDO($dsn, $db_user, $db_password);
$query = 'INSERT INTO table (data1, data2) VALUES (:data1, :data2)';
$statement = $db->prepare($query);                          
$statement->bindValue(':data1',$data1);
$statement->bindValue(':data2',$data2)
$statement->execute();

Answer 3

如果您要删除常规az字母和0-9数字旁边的所有字符，请使用preg_match：

preg_match("/^[a-zA-Z0-9]+$/", $value);