4

I've a problem of character encoding in php, so this's the php code:

n_event=$_GET['ndlann'];
$nom_complet=htmlentities(stripslashes($_POST['nom']));
$email_comment=htmlentities(stripslashes($_POST['email']));
$titre_comment=htmlentities(stripslashes($_POST['titre']));
$texte_comment=htmlentities(stripslashes(nl2br($_POST['commentaire'])));
$pays_comment=$_POST['pays'];
$date_ajout=date('Y/m/d');

Data will be added in a database table , you see that this data comes from a comments form, so when the user enters some comments with orient languages carachters (arabic,hebrew...etc), the input data will change to something like :

Ø´Ù�را عÙ�Ù� اÙ�Ù�Ù�ضÙ�Ø

I tried to delete the htmlentities method and that works fine , but does start another problem of comments form security (js scripts will be executed)

What can I do with this situation?

and thanks

Improve this question
8
  • 2
    Did you try to set charset in htmlentities to e.g. UTF-8? Commented Jan 25, 2011 at 10:36
  • how to do it? htmlentities($_POST['comment'],'charset=UTF-8') ?? Commented Jan 25, 2011 at 10:39
  • 1
    @Simo TAQUI. Try this: htmlentities($_POST['comment'],ENT_COMPAT,'utf-8') Commented Jan 25, 2011 at 10:43
  • Okey, thank you ! +1, I'll try this, Just Taqi is without U :), Commented Jan 25, 2011 at 10:45
  • @Simo TAQI. Sorry for spelling mistake :-) Commented Jan 25, 2011 at 10:46

2 Answers 2

Reset to default
2

Do not use htmlentities() ever.

This function has been obsoleted long time ago. Use htmlspecialchars() instead.

you have also bunch of nonsense in your code

  • doing htmlentities(nl2br(*)) has no sense.

  • make stripslashes conditional, only if magic quotes are set on.

  • there is a possible problem with pays field.

  • I am also afraid that you're taking htmlentities as some sort of SQL escaing function. Am I right?

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

@Shrapnel , thank you for your answer friend, I will change my code.. but for the pays field , it comes from a select element and I think there's no problem with it :-) +1
@Simo you cannot be more wrong. That IS the problem. There is no matter what kind of field in terms of security.
@Shrapnet, I think u're right!, maybe someone can construct a new form but with a textarea with pays name.. and enter a javascript code. thank you for this note. +1
@Sharpnel, and for what purpose must make stripslashes conditional if only magic quotes are set on?? and thank you to clear the matters up. :)
@Simo nl2br will add an HTML tag to your text (<br> one). BUT htmlentities WHLL MAKE ENTITIES OUT OF IT! So, it would be not a line break on the HTML page, but literal <br> as is! CAN'T YOU SEE THAT???
|
2

In my opinion, and according to the PHP doc, the accepted answer is not correct. Nowhere it is written that this function has been deprecated.

If you set correctly the third argument of the function, called $encoding, it will solve your problem.

I hope this helps.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.