Why is special character coming out strange from MySql db after I changed to sessions?

Question

I have a classified website, and I recently changed the insertion of classifieds to use php Session variables instead of alot of POST and FORMS...

So first BEFORE changing to Sessions, it worked nice and all special characters showed up correctly.

Now that I changed to SESSIONS, I get funny characters instead of the special characters.

Here is some code to explain better.

First is BEFORE changing to sessions: Below is the first page which shows a verification page (preview), where users may press "OK" or "Go back and change":

  //VERIFICATION PAGE:
  <form>
   <input type="text" value="<?php echo htmlentities($_POST['annonsera_headline'], ENT_QUOTES, 'utf-8'); ?>">

  //IF OK, THEN TO THE PAGE WHERE THE CLASSIFIED IS INSERTED
   $headline= mysql_real_escape_string($_POST['headline']);

Now the above worked but then I changed to sessions:

    //VERIFICATION PAGE:
    $headline = htmlentities($_POST['annonsera_headline'], ENT_QUOTES, 'utf-8');
    $_SESSION['headline'] = $headline;                 

  //IF OK, THEN TO THE PAGE WHERE THE CLASSIFIED IS INSERTED
  $headline= mysql_real_escape_string($_SESSION['headline']);

The above here changed all characters in the headline to corresponding HTML ENTITIES.

What should I do here?

And in my MySql headline field, there is no HTML ENTITY, there is the correct text. But on my webpages and in the classified the special characters show up funny, even though they are taken from the same mysql field (which looks good in phpmyadmin).

Any ideas?

Thanks

Answer 1

Ensure that your connection to mysql is utf8 safe first of all I would sat by issuing a SET NAMES UTF8 to the database just after you connect. Also ensure that your table field is also utf-8 by setting the tables collation

Hope that helps

Answer 2

You're HTML-encoding your submitted headline before putting it into the session. Then you get the encoded value out of the session and insert it into the database.

Neither the session store nor the database is HTML, so you shouldn't be encoding the values here. You should only HTML-encode text when you're outputting it to an HTML page (like the <input> in the first example). Also, you should probably use htmlspecialchars() in preference to htmlentities(), which pointlessly tries to use HTML entity references for some (but not all) Unicode characters.

Ensure that your page is served as UTF-8 (with a Content-Type header and/or <meta>), your database connection is set to use UTF-8 (using mysql_set_charset(), preferably not SET NAMES) and that each text column of each table is set to use a UTF-8 collation.

For what it's worth I would not use sessions here. For doing multi-stage forms, using hidden values to pass previous inputs is more reliable: consider what happens when the user opens two browser windows and tries to enter two classifieds simultaneously. The values from one form will overwrite the values from the other form, mixing up the two processes. (The other alternative is to have a single-page form with some client-side scripting to show only part of it at once.)