R0CKY Posted February 25, 2009 Share Posted February 25, 2009 Whenever someone posts a comment on my site that includes an apostrophe, it breaks the page and an error occurs, an extract of the start of the error is shown here. ')' at line 1] in EXECUTE("INSERT INTO ......... I think this is something to do with the way apostrophes are being handled...? Is there something I can do at the point of input to properly handle the apostrophes entered by visitors? I've invested a huge amount of resources on this system but unfortunately the developer is no longer supporting the php script so I am hoping someone here can tell me how to properly deal with apostrophes entered in comment fields. Please speak slowly. Many thanks. Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/ Share on other sites More sharing options...
premiso Posted February 25, 2009 Share Posted February 25, 2009 You need to escape textual data going into a DB using mysql_real_ecape_String which will escape apostrophes properly. Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/#findComment-771398 Share on other sites More sharing options...
R0CKY Posted February 28, 2009 Author Share Posted February 28, 2009 Thanks Premiso I did some more digging and found that the comment system calls a page called PHP Input Filter and at the end of that is the expression you mention... function escapeString($string, &$connection) { // depreciated function if (version_compare(phpversion(),"4.3.0", "<")) mysql_escape_string($string); // current function else mysql_real_escape_string($string); return $string; So it looks like it should already be working, but isn't for some reason ??? Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/#findComment-773408 Share on other sites More sharing options...
DamienRoche Posted February 28, 2009 Share Posted February 28, 2009 Stupid answer...I'm worthless. Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/#findComment-773412 Share on other sites More sharing options...
PFMaBiSmAd Posted February 28, 2009 Share Posted February 28, 2009 The code in that function does nothing but return the original $string without escaping the data. Both mysql_escape_string() (don't use it) and mysql_real_escape_string() return the escaped string and you either need to assign that to a variable or use it in the function's return statement. Whoever wrote that function either did not test it or deliberately or accidentally left the code open to sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/#findComment-773418 Share on other sites More sharing options...
DamienRoche Posted February 28, 2009 Share Posted February 28, 2009 Oh yeh, I didn't even realize. So you know rocky, it should be: function escapeString($string, &$connection) { // depreciated function if (version_compare(phpversion(),"4.3.0", "<")) $string = mysql_escape_string($string); // current function else $string = mysql_real_escape_string($string); return $string; Hope that helps. Quote Link to comment https://forums.phpfreaks.com/topic/146933-apostorphys-in-comment-field-breaks-php/#findComment-773421 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.