Jump to content

Recommended Posts

I have a book "Wicked Cool PHP" and in the security section it suggest that one would should use utf8_decode to "prevent  potential Unicode codec problems"

 

Something like this $name = utf8_decode($_POST ['name']);

 

Is this a good idea? I have "<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />" in the header, are these diffent things?

 

I've found web sites saying this is a bad thing

 

 

Wicked Cool PHP suggest

		$name = utf8_decode($_POST ['name']);
	$name = htmlentities($name, ENT_NOQUOTES);
	$name = str_replace("#", "&#35;", $name);
	$name = str_replace ("%", "&#37;", $name);]

 

Is this a good idea or just extra work?

I use the standard strip_tags & mysqli_real_escape_string now.

Link to comment
https://forums.phpfreaks.com/topic/264243-using-utf8_decode-for-inputs/
Share on other sites

It's not so much bad as it is incorrect. utf8_decode() actually decodes the text, but what you want to do is check that it was valid UTF-8.

if (mb_detect_encoding($_POST['name'] . " ", "UTF-8")) {
    // valid UTF-8

The added space is because the string could end in the middle of a byte sequence and mb_detect_encoding() allows that (but you don't).

 

Also,

1. Don't htmlentities() stuff when you put it into the database. Only when you output it.

2. Those str_replace()s should not be necessary. If you think they are then you should probably be using a function like urlencode() instead. But again, when you output stuff and not when you put it in the database.

3. strip_tags() if only if you want to completely remove HTML tags. If you don't care if there's HTML then don't use it.

4. If you're using mysqli then you should be using prepared statements, not building query strings by hand.

Thanks for the reply.

 

Is it even worth worrying about using mb_detect_encoding? I've don't think I've seen it here(or anyone talking about UTF-8 encoding/decoding) before and the only place I've seen that said it needed to be used is the book "Wicked Cool PHP"

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.