Saving text with an hash mark (Javascript - PHP - MySQL)

Question

I am writing simple AJAX functions to send comments to the server and save them in a mySQL database with php.

The following code seemed to work just fine for my purposes, basic but did his job, until i tried to put a hash symbol (#) in a comment. Inserting this into the text "crashes" my functions, without saving the written text in the database and returning an empty div basically.

This is the ajax call:

  function sendComment(n){
    var xmlhttp = createAjax();

    var text = document.getElementById("f"+n).value;
    if (!validation(text))
       return false;

    xmlhttp.onreadystatechange = function () {
      if (xmlhttp.readyState==4 && xmlhttp.status==200){
        appendComment(n, xmlhttp.responseText);
       }
    }
    ...
    url = "comments.php?news="+n+"&text="+text;
    xmlhttp.open("GET", url, true);
    xmlhttp.send();
    ...
  }

Where createAjax simply creates the xmlhttp object for every browser as standard, validation is a function that checks for many symbols like <,>,=,(,),| with a regular expression.

this is the php part:

 function insertComment($text, $news){
    $conn = dbConnect();

    $user = $_SESSION["user"];
    $text = nl2br(htmlentities($text));
    $date = date("Y-m-d H:i:s");
    $sql = "INSERT INTO comments(user, news, date, text) VALUES ('".$user."','".$news."','".$date."', '".$text."')";
    mysql_query($sql) or die ("Errore in inserimento: ".sql_error());
    echo writeSingleComment($user, $date, $text);
    mysql_close(conn);
}

It just connects, saves the comment and returns the html code with echo, so that the javascript function can print it.

This works with any text apparently, but I can't get it to work with an hash, am I missing something? Sidenotes, I could simply add the symbol to the validation regular expr., but my point is to "print" it, not just excluding it. Thanks in advance! Sidenote 2, the javascript attaches the comment to a static element.

"am I missing something" — The code that takes the data with the hash and puts it in the HTTP request. — Quentin, Dec 23 '14 at 15:45
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are probably also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Dec 23 '14 at 15:46
I simply wrote /*open send etc..*/ to make it quicker, let me edit with the full code — edornd, Dec 23 '14 at 15:47
I understand, but I can't change the MySQL part, since it is not my choice, it has to stay like that, thanks for the warning though! — edornd, Dec 23 '14 at 15:49

Quentin · Accepted Answer · 2014-12-23T16:14:21.313

2

url = "comments.php?news="+n+"&text="+text;

You aren't escaping any of the data you are putting into your URL.

Some characters have special meaning, e.g. & separates query parts and # starts the fragment identifier.

You need to run your input through encodeURIComponent() before adding it to the URL.

url = "comments.php?news=" + encodeURIComponent(n) + "&text=" + encodeURIComponent(text);

edited Dec 23 '14 at 16:14

answered Dec 23 '14 at 15:52

Quentin

914,110
126
1,211
1,335

score -1 · Answer 2 · answered Dec 23 '14 at 15:50

-1

Many characters (such as #) are not SQL safe and require escaping At the very least you need to use

var toSend = escape(mystring);

this will not protect from attacks but will get you down the road.

answered Dec 23 '14 at 15:50

Shooky

1,269
8
16

[`escape`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/escape) is deprecated and not unicode safe. It should not be used. `#` is SQL safe (at least in this context), `'` would be problematic, but needs solving in the PHP not the JS. – Quentin Dec 23 '14 at 15:51
1

agreed, but it gets the point across, strings need to be escaped before sending to DB – Shooky Dec 23 '14 at 15:53
The problem here has nothing to do with the database (that is another problem the code suffers from). It is to do with putting data in URLs. – Quentin Dec 23 '14 at 15:54

Saving text with an hash mark (Javascript - PHP - MySQL)

2 Answers2