Jump to content

Apostorphy's in comment field breaks PHP.

R0CKY

By R0CKY
in PHP Coding Help

 Share

Recommended Posts

R0CKY Member

R0CKY

Posted
Posted

Whenever someone posts a comment on my site that includes an apostrophe, it breaks the page and an error occurs, an extract of the start of the error is shown here.

 

')' at line 1] in EXECUTE("INSERT INTO .........

 

I think this is something to do with the way apostrophes are being handled...? Is there something I can do at the point of input to properly handle the apostrophes entered by visitors?

 

I've invested a huge amount of resources on this system but unfortunately the developer is no longer supporting the php script so I am hoping someone here can tell me how to properly deal with apostrophes entered in comment fields.

 

Please speak slowly.

 

Many thanks.

Link to comment
Share on other sites
R0CKY Member

R0CKY

Posted
  • Author
Posted

Thanks Premiso

 

I did some more digging and found that the comment system calls a page called PHP Input Filter

 

and at the end of that is the expression you mention...

 

function escapeString($string, &$connection) {

// depreciated function

if (version_compare(phpversion(),"4.3.0", "<")) mysql_escape_string($string);

// current function

else mysql_real_escape_string($string);

return $string;

 

So it looks like it should already be working, but isn't for some reason  ???

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The code in that function does nothing but return the original $string without escaping the data.

 

Both  mysql_escape_string() (don't use it) and mysql_real_escape_string() return the escaped string and you either need to assign that to a variable or use it in the function's return statement.

 

Whoever wrote that function either did not test it or deliberately or accidentally left the code open to sql injection.

Link to comment
Share on other sites
DamienRoche Regular Member

DamienRoche

Posted
Posted

Oh yeh, I didn't even realize.

 

So you know rocky, it should be:

 


   function escapeString($string, &$connection) {
      // depreciated function
      if (version_compare(phpversion(),"4.3.0", "<")) $string = mysql_escape_string($string);
      // current function
      else $string = mysql_real_escape_string($string);
      return $string;

 

Hope that helps.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.