You need to make sure that every time you process a UTF-8 string, you do so safely. This is, unfortunately, the hard part. You'll probably want to make extensive use of PHP's
PHP's built-in string operations are not by default UTF-8 safe. There are some things you can safely do with normal PHP string operations (like concatenation), but for most things you should use the equivalent
Data Storage and Access
This topic specifically talks about UTF-8 and considerations for using it with a database. If you want more information about using databases in PHP then checkout this topic.
Storing Data in a MySQL Database:
- Specify the
utf8mb4character set on all tables and text columns in your database. This makes MySQL physically store and retrieve values encoded natively in UTF-8.
MySQL will implicitly use
utf8mb4encoding if a
utf8mb4_*collation is specified (without any explicit character set).
- Older versions of MySQL (< 5.5.3) do not support
utf8mb4so you'll be forced to use
utf8, which only supports a subset of Unicode characters.
Accessing Data in a MySQL Database:
In your application code (e.g. PHP), in whatever DB access method you use, you'll need to set the connection charset to
utf8mb4. This way, MySQL does no conversion from its native UTF-8 when it hands data off to your application and vice versa.
Some drivers provide their own mechanism for configuring the connection character set, which both updates its own internal state and informs MySQL of the encoding to be used on the connection. This is usually the preferred approach.
For Example (The same consideration regarding
utf8applies as above):
If the database driver does not provide its own mechanism for setting the connection character set, you may have to issue a query to tell MySQL how your application expects data on the connection to be encoded:
SET NAMES 'utf8mb4'.
You should verify every received string as being valid UTF-8 before you try to store it or use it anywhere. PHP's
mb_check_encoding()does the trick, but you have to use it consistently. There's really no way around this, as malicious clients can submit data in whatever encoding they want.
If you're using HTML5 then you can ignore this last point. You want all data sent to you by browsers to be in UTF-8. The only reliable way to do this is to add the
accept-charsetattribute to all of your
<form>tags like so:
If your application transmits text to other systems, they will also need to be informed of the character encoding. In PHP, you can use the
php.ini, or manually issue the
Content-TypeMIME header yourself. This is the preferred method when targeting modern browsers.
If you are unable to set the response headers, then you can also set the encoding in an HTML document with HTML metadata.
Older versions of HTML