Announcement

#1 2022-09-20 02:16:23

Cadencia
Member
Auckland, New Zealand
2013-10-12
11

13.0.0RC2 Apostrophe in comments

Entering or editing a comment containing an apostrophe cases SQL failure.

bypassed like this:

change functions_comment.inc.php thus:

@@ -215,11 +215,11 @@ INSERT INTO '.COMMENTS_TABLE.'
   (author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email)
   VALUES (
     \''.$comm['author'].'\',
     '.$comm['author_id'].',
     \''.$comm['ip'].'\',
-    \''.$comm['content'].'\',
+    \''.pwg_db_real_escape_string($comm['content']).'\',
     NOW(),
     \''.($comment_action=='validate' ? 'true':'false').'\',
     '.($comment_action=='validate' ? 'NOW()':'NULL').',
     '.$comm['image_id'].',
     '.(!empty($comm['website_url']) ? '\''.$comm['website_url'].'\'' : 'NULL').',
@@ -235,15 +235,14 @@ INSERT INTO '.COMMENTS_TABLE.'
         or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');

       $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
-
       $keyargs_content = array(
         get_l10n_args('Author: %s', stripslashes($comm['author']) ),
         get_l10n_args('Email: %s', stripslashes($comm['email']) ),
-        get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
+        get_l10n_args('Comment: %s', pwg_db_real_escape_string($comm['content']) ),
         get_l10n_args(''),
         get_l10n_args('Manage this user comment: %s', $comment_url),
       );

       if ('moderate' == $comment_action)
@@ -366,11 +365,11 @@ function update_user_comment($comment, $post_key)
    $GLOBALS['user']['id'].'\'';
     }

     $query = '
UPDATE '.COMMENTS_TABLE.'
-  SET content = \''.$comment['content'].'\',
+  SET content = \''.pwg_db_real_escape_string($comment['content']).'\',
       website_url = '.(!empty($comment['website_url']) ? '\''.$comment['website_url'].'\'' : 'NULL').',
       validated = \''.($comment_action=='validate' ? 'true':'false').'\',
       validation_date = '.($comment_action=='validate' ? 'NOW()':'NULL').'
   WHERE id = '.$comment['comment_id'].
$user_where_clause.'


Environment
Piwigo 13.0.0RC2 Check for upgrade
Operating system: Linux
PHP: 8.1.2 (Show info) [2022-08-24 13:49:26]
MySQL: 8.0.30-0ubuntu0.22.04.1 [2022-08-24 13:49:26]
Graphics Library: ImageMagick 6.9.11-60
Cache size N/A   never calculated Refresh
Activated plugin list14
About 1 menu
Additional Pages
Admin Tools
Advanced Menu Manager
AlwaysShowMetadata
Community
Exif View
Force HTTPS
Grum Plugins Classes.3
LocalFiles Editor
Perso About
Personal Plugin
Photo added by
user delete photo

Regards
Phil

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2022 · Contact