Using utf8_decode for inputs

[floridaflatlander]

I have a book "Wicked Cool PHP" and in the security section it suggest that one would should use utf8_decode to "prevent  potential Unicode codec problems"

 

Something like this $name = utf8_decode($_POST ['name']);

 

Is this a good idea? I have "<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />" in the header, are these diffent things?

 

I've found web sites saying this is a bad thing

 

 

Wicked Cool PHP suggest

		$name = utf8_decode($_POST ['name']);
	$name = htmlentities($name, ENT_NOQUOTES);
	$name = str_replace("#", "#", $name);
	$name = str_replace ("%", "%", $name);]

 

Is this a good idea or just extra work?

I use the standard strip_tags & mysqli_real_escape_string now.

[requinix]

It's not so much bad as it is incorrect. utf8_decode() actually decodes the text, but what you want to do is check that it was valid UTF-8.

if (mb_detect_encoding($_POST['name'] . " ", "UTF-8")) {
    // valid UTF-8

The added space is because the string could end in the middle of a byte sequence and mb_detect_encoding() allows that (but you don't).

 

Also,

1. Don't htmlentities() stuff when you put it into the database. Only when you output it.

2. Those str_replace()s should not be necessary. If you think they are then you should probably be using a function like urlencode() instead. But again, when you output stuff and not when you put it in the database.

3. strip_tags() if only if you want to completely remove HTML tags. If you don't care if there's HTML then don't use it.

4. If you're using mysqli then you should be using prepared statements, not building query strings by hand.

[floridaflatlander]

Thanks for the reply.

 

Is it even worth worrying about using mb_detect_encoding? I've don't think I've seen it here(or anyone talking about UTF-8 encoding/decoding) before and the only place I've seen that said it needed to be used is the book "Wicked Cool PHP"

[requinix]

Generally no, it's not worth it.