Jump to content

Recommended Posts

Whenever someone posts a comment on my site that includes an apostrophe, it breaks the page and an error occurs, an extract of the start of the error is shown here.

 

')' at line 1] in EXECUTE("INSERT INTO .........

 

I think this is something to do with the way apostrophes are being handled...? Is there something I can do at the point of input to properly handle the apostrophes entered by visitors?

 

I've invested a huge amount of resources on this system but unfortunately the developer is no longer supporting the php script so I am hoping someone here can tell me how to properly deal with apostrophes entered in comment fields.

 

Please speak slowly.

 

Many thanks.

Link to comment
https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/
Share on other sites

Thanks Premiso

 

I did some more digging and found that the comment system calls a page called PHP Input Filter

 

and at the end of that is the expression you mention...

 

function escapeString($string, &$connection) {

// depreciated function

if (version_compare(phpversion(),"4.3.0", "<")) mysql_escape_string($string);

// current function

else mysql_real_escape_string($string);

return $string;

 

So it looks like it should already be working, but isn't for some reason  ???

The code in that function does nothing but return the original $string without escaping the data.

 

Both  mysql_escape_string() (don't use it) and mysql_real_escape_string() return the escaped string and you either need to assign that to a variable or use it in the function's return statement.

 

Whoever wrote that function either did not test it or deliberately or accidentally left the code open to sql injection.

Oh yeh, I didn't even realize.

 

So you know rocky, it should be:

 


   function escapeString($string, &$connection) {
      // depreciated function
      if (version_compare(phpversion(),"4.3.0", "<")) $string = mysql_escape_string($string);
      // current function
      else $string = mysql_real_escape_string($string);
      return $string;

 

Hope that helps.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.