Now that both of my Piwigo sites are on 12.0.0RC2, I can't test this on 11.5, but I'm pretty sure I was able to use apostrophes in the photo description before. Now, I get this:
[mysql error 1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's seats', `date_creation` = '2021-10-26 18:50:05' WHERE `id` = '58886'' at line 5 UPDATE `pwg_images` SET `name` = 'IMG 0453', `author` = NULL, `level` = '0', `comment` = 'view from Jaime's seats', `date_creation` = '2021-10-26 18:50:05' WHERE `id` = '58886' #1 my_error /usr/local/piwigo/include/dblayer/functions_mysqli.inc.php(132) #2 pwg_query /usr/local/piwigo/include/dblayer/functions_mysqli.inc.php(335) #3 mass_updates /usr/local/piwigo/admin/batch_manager_unit.php(86) #4 include /usr/local/piwigo/admin/batch_manager.php(814) #5 include /usr/local/piwigo/admin.php(314)
At first I thought I could work around this with $conf['sync_chars_regex'] but that doesn't seem to help. Did I change something else I forgot about or is this another issue with v12?
For now I can work around it by using two single quotes (ex. Jaime''s seats) and they resolve to a single quote when the description is displayed, but looking in the pwg_images.comment column in my database I see a lot of single quotes from before that also work when displayed, I just can't edit or add new.
Last edited by windracer (2021-10-27 23:29:16)
Offline
Is that only on the batch manager in unit mode? (I can't reproduce the bug for now)
Offline
For me it's happening on quick edit and the properties page of the photo.
Offline
I'm still having this issue with using an apostrophe in the photo description via quick edit, the properties page, or batch manager. I have to remember to use double apostrophes to avoid the error.
Offline
I have this is well but it only happened after I upgraded to PHP 8 (also with MySQL 8), with PHP 7.4 and MySQL 8 no problems at all. Pity there is no follow-up :-(
Offline
This is still an issue (unsurprisingly) in 13.0.0beta1. I have to remember to use double single apostrophes when writing a description that needs a single apostrophe in it.
Offline
I'm STILL having this issue with using an apostrophe (single quote) in photo descriptions. This is my string in my local conf file:
$conf['sync_chars_regex'] = "/^[a-zA-Z0-9-_.(), '’&$£@#~öùüéá![]]+$/";
I can work around this by using either double single quotes '' or precede it with a backslash \' but I have to remember that. Otherwise when I submit the page, I get the error.
There's got to be a way to fix this ...
Offline
sync_chars_regex is only for directory and file names during sync, not descriptions. And do not use the ' apostrophe in that set, such names will break things. Using & ampersand may break things.
Offline
Ok, so how do I fix the description issue then? It used to work in v11 and I use apostrophes all the time.
Offline
No idea, plg might know what's wrong with the new code or at least what changed, I won't dive into these days.
Offline
SOLVED!
I had the same problem when I tried to enter apostrophes in Photo descriptions, Album descriptions and Batch Manager descriptions. (Maybe the problem occurs elsewhere, but I didn't search them out.) It just appeared when I upgraded to pwg 12.x .
I found out the sources of the problems and here's what I did. It's pretty simple.
(I did this on pwg 12.3 running php 8.1):
For Photo descriptions: edit piwigo/admin/picture_modify.php.
Look for this section of original code:
if ($conf['allow_html_descriptions']) { $data['comment'] = @$_POST['description']; } else { $data['comment'] = strip_tags(@$_POST['description']); }
Modify two lines by adding addslashes():
if ($conf['allow_html_descriptions']) { $data['comment'] = addslashes(@$_POST['description']); } else { $data['comment'] = addslashes(strip_tags(@$_POST['description'])); }
For Album descriptions: edit piwigo/admin/cat_modify.php.
Look for this section of original code:
if ($conf['activate_comments']) { $data['commentable'] = isset($_POST['commentable'])? 'true':'false'; } single_update( CATEGORIES_TABLE, $data, array('id' => $data['id']) );
Insert one line with addslashes():
if ($conf['activate_comments']) { $data['commentable'] = isset($_POST['commentable'])? 'true':'false'; } $data['comment'] = addslashes($data['comment']); single_update( CATEGORIES_TABLE, $data, array('id' => $data['id']) );
For Batch Manager descriptions: edit piwigo/admin/batch_manager_unit.php.
Look for this section of original code:
if ($conf['allow_html_descriptions']) { $data['comment'] = @$_POST['description-'.$row['id']]; } else { $data['comment'] = strip_tags(@$_POST['description-'.$row['id']]); }
Modify two lines by adding addslashes():
if ($conf['allow_html_descriptions']) { $data['comment'] = addslashes(@$_POST['description-'.$row['id']]); } else { $data['comment'] = addslashes(strip_tags(@$_POST['description-'.$row['id']])); }
It works for me; I hope it works for you.
Last edited by ahtoagah (2022-08-29 21:03:58)
Offline
Thank you! I will check out your suggested changes.
edit: that seems to work! The one place I still get the error is under Quick Edit for a photo but can't seem to figure out where to make a similar fix for that.
Last edited by windracer (2022-08-30 00:14:46)
Offline
I don't use Quick Edit, but I looked into some of its files and found that piwigo/plugins/AdminTools/include/events.inc.php has a similar statement on line 315.
You could try to add addslashes() around it like in the others I posted. I have a feeling it will work.
Good luck!
--edit: also line 311
Last edited by ahtoagah (2022-09-04 08:16:55)
Offline
Citing from https://www.php.net/manual/en/function.addslashes.php
The addslashes() is sometimes incorrectly used to try to prevent SQL Injection. Instead, database-specific escaping functions and/or prepared statements should be used.
Probably better is to use pwg_db_real_escape_string() that wraps mysql_real_escape_string() for MySQL on old systems or rather mysqli::real_escape_string() if MySQLi is used (should be the case on any modern system).
Offline
I tested pwg_db_real_escape_string() and it seems to work fine. I wasn't worried about SQL injection, since I am the only one adding descriptions to my site, but since php advises its use in that situation it's another option if other users will be adding their own descriptions.
I am surprised that these sorts of text handling routines are found across so many files. I would have thought they would be centralised or globalised, so any customisation could be done in one place.
Offline