0

I am currently trying to upload a form to our database using mySQL, but the problem is when a user enters an apostrophe in the text field it breaks and gives this error:

Error updating database: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm interested in football ''' This is a test', resume = '/var/www/html/' at line 6

Here is the code we are using to strip characters that are not permitted in the database, with exceptions granted to - , and ' :

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
<script>    
$( 'textarea[name=studentTalking]').change(function() {
    var txt=$('textarea[name=studentTalking]').val();
        var txt=$('textarea[name=studentTalking]').val();
        txt = txt.replace(/[^-,'A-Za-z0-9\s\,\-\(\)\&\/]/gi, '');
        txt = txt.replace(/\&/,'and');
        $('textarea[name=studentTalking]').val(txt);
});
</script>

What can I add to this code to manually escape the apostrophe so it may be submitted to the database? I have seen others solving this problem by using mysql_real_escape_string, but am unsure where to put it. If you need more code to help me let me know, and I will try to edit this post with an updated code.

Bradley Newman
  • 47
  • 1
  • 6
  • 1
    Where is your PHP and SQL code. My guess is that you're not parameterizing your queries. – Jay Blanchard Oct 13 '17 at 17:13
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 13 '17 at 17:13
  • @JayBlanchard I have updated the post with some more code. I am not sure where to parameterize the code, I am not too adept at PHP and am working with old legacy code written by previous interns. – Bradley Newman Oct 13 '17 at 17:24
  • You would add it around each variable in the query, `mysql_real_escape_string($studentName)` for example. – Jay Blanchard Oct 13 '17 at 17:26
  • 1
    Just an FYI ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Oct 13 '17 at 17:26
  • 1
    @JayBlanchard Thank you for your help. I will be discussing these vulnerabilities with my boss and possibly rewriting the code. – Bradley Newman Oct 13 '17 at 17:34

0 Answers0