Web Analytics Made Easy - StatCounter Apostrophe issue - CodingForum

Announcement

Collapse
No announcement yet.

Apostrophe issue

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Apostrophe issue

    Hi,

    I was running my website off a Ubuntu box with XAMPP on it for months and today I built my own web server but I am having SQL issues.

    When I had XAMPP; SQL could process apostrophe's in queries just fine but now that I have custom built my web server (with Apache, PHP, SQL etc), SQL throws errors if the query has a apostrophe in it.
    I shouldn't have to use mysql_real_escape_string or anything because I wasn't with XAMPP so I'm guessing it's SQL's problem =/

    What is going on?! o.0
    How can I fix this?

    Thanks.
    Tags: None
  • #2
    you should be using mysql_real_escape_string to sanitize your incoming data, otherwise you are leaving yourself vulnerable to sql injections.

    Also to clarify you realize that SQL is the language itself and SQL Server or MySQL or Oracle are the database applications right?

    Comment

    • #3
      Sorry, I mean MySQL (5.1.49)

      I shouldn't have to use mysql_real_escape_string because when I was running XAMPP (which also runs MySQL 5.0.67) I was not having this issue - is there something in the configuration that can alter this? I have had a look but was not very successful.

      Thanks for your reply guelphdad

      Comment

      • #4
        single quotes need to be escaped either with a second single quote or a backslash or magic_quotes turned on. you had to be doing one of those things with the previous install. There is no difference between what you were running before and what you are running now with the exception of you choosing to install the three applications (that were already installed) and configure them by hand, Perhaps XAMPP turns on magic quotes or uses MRES by default.

        If you don't want to run MRES that's up to you, if you don't sanitize your data you are leaving yourself open to sql injection and cross server scripting attacks.

        that's totally up to you of course.

        Comment

        • #5
          Ok thanks heaps guelphdad

          I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind

          Comment

          • #6
            Is your server available over the net? Then you are vulnerable to XSS and SQLI.

            Comment

            • #7
              Originally posted by dacoder96 View Post
              Ok thanks heaps guelphdad

              I am going to go with the dodgy way (not sanitizing and just using magic_quotes) because I monitor logs alot and all my users are close friends so I don't really mind
              magic_quotes is a deprecated feature. I'm expecting it to be gone in the next major release of PHP which means you're dodgy practice now becomes a complete vulnerability.
              I wouldn't be surprised if its sooner, the next minor release of 5.4 will include the removal of register_globals, register_long_arrays, and allow_call_time_pass_reference, which will of course remove some old functions (particularly the old session ones). If they are axing the register_globals, I won't be surprised if the magic_quotes_gpc and magic_quotes_runtime are also nuked in that release.

              Monitoring your logs is a reactive approach. If you take a proactive one you won't need to be constantly monitoring the logs as much as just checking in.
              PHP Code:
              header('HTTP/1.1 420 Enhance Your Calm'); 
              Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

              Comment

              Previous template Next
              Working...
              X
              😀
              🥰
              🤢
              😎
              😡
              👍
              👎