For me it's happening on quick edit and the properties page of the photo.

I have this is well but it only happened after I upgraded to PHP 8 (also with MySQL 8), with PHP 7.4 and MySQL 8 no problems at all. Pity there is no follow-up :-(

I'm STILL having this issue with using an apostrophe (single quote) in photo descriptions. This is my string in my local conf file:

$conf['sync_chars_regex'] = "/^[a-zA-Z0-9-_.(), '’&$£@#~öùüéá![]]+$/";

I can work around this by using either double single quotes '' or precede it with a backslash \' but I have to remember that. Otherwise when I submit the page, I get the error.

There's got to be a way to fix this ...

Ok, so how do I fix the description issue then? It used to work in v11 and I use apostrophes all the time.

SOLVED!

I had the same problem when I tried to enter apostrophes in Photo descriptions, Album descriptions and Batch Manager descriptions. (Maybe the problem occurs elsewhere, but I didn't search them out.) It just appeared when I upgraded to pwg 12.x .

I found out the sources of the problems and here's what I did. It's pretty simple.
(I did this on pwg 12.3 running php 8.1):

For Photo descriptions: edit piwigo/admin/picture_modify.php.

Look for this section of original code:

  if ($conf['allow_html_descriptions'])
  {
    $data['comment'] = @$_POST['description'];
  }
  else
  {
    $data['comment'] = strip_tags(@$_POST['description']);
  }

Modify two lines by adding addslashes():

  if ($conf['allow_html_descriptions'])
  {
    $data['comment'] = addslashes(@$_POST['description']);
  }
  else
  {
    $data['comment'] = addslashes(strip_tags(@$_POST['description']));
  }

For Album descriptions: edit piwigo/admin/cat_modify.php.

Look for this section of original code:

  if ($conf['activate_comments'])
  {
    $data['commentable'] = isset($_POST['commentable'])? 'true':'false';
  }

  single_update(
    CATEGORIES_TABLE,
    $data,
    array('id' => $data['id'])
    );

Insert one line with addslashes():

  if ($conf['activate_comments'])
  {
    $data['commentable'] = isset($_POST['commentable'])? 'true':'false';
  }
  $data['comment'] = addslashes($data['comment']);
  single_update(
    CATEGORIES_TABLE,
    $data,
    array('id' => $data['id'])
    );

For Batch Manager descriptions: edit piwigo/admin/batch_manager_unit.php.

Look for this section of original code:

    if ($conf['allow_html_descriptions'])
    {
      $data['comment'] = @$_POST['description-'.$row['id']];
    }
    else
    {
      $data['comment'] = strip_tags(@$_POST['description-'.$row['id']]);
    }

Modify two lines by adding addslashes():

    if ($conf['allow_html_descriptions'])
    {
      $data['comment'] = addslashes(@$_POST['description-'.$row['id']]);
    }
    else
    {
      $data['comment'] = addslashes(strip_tags(@$_POST['description-'.$row['id']]));
    }

It works for me; I hope it works for you.

Last edited by ahtoagah (2022-08-29 21:03:58)

I don't use Quick Edit, but I looked into some of its files and found that piwigo/plugins/AdminTools/include/events.inc.php has a similar statement on line 315.

You could try to add addslashes() around it like in the others I posted. I have a feeling it will work.

Good luck!

--edit: also line 311

Last edited by ahtoagah (2022-09-04 08:16:55)

I tested pwg_db_real_escape_string() and it seems to work fine. I wasn't worried about SQL injection, since I am the only one adding descriptions to my site, but since php advises its use in that situation it's another option if other users will be adding their own descriptions.

I am surprised that these sorts of text handling routines are found across so many files. I would have thought they would be centralised or globalised, so any customisation could be done in one place.