Entering or editing a comment containing an apostrophe cases SQL failure.
bypassed like this:
change functions_comment.inc.php thus:
@@ -215,11 +215,11 @@ INSERT INTO '.COMMENTS_TABLE.'
(author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email)
VALUES (
\''.$comm['author'].'\',
'.$comm['author_id'].',
\''.$comm['ip'].'\',
- \''.$comm['content'].'\',
+ \''.pwg_db_real_escape_string($comm['content']).'\',
NOW(),
\''.($comment_action=='validate' ? 'true':'false').'\',
'.($comment_action=='validate' ? 'NOW()':'NULL').',
'.$comm['image_id'].',
'.(!empty($comm['website_url']) ? '\''.$comm['website_url'].'\'' : 'NULL').',
@@ -235,15 +235,14 @@ INSERT INTO '.COMMENTS_TABLE.'
or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
{
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
$comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
-
$keyargs_content = array(
get_l10n_args('Author: %s', stripslashes($comm['author']) ),
get_l10n_args('Email: %s', stripslashes($comm['email']) ),
- get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
+ get_l10n_args('Comment: %s', pwg_db_real_escape_string($comm['content']) ),
get_l10n_args(''),
get_l10n_args('Manage this user comment: %s', $comment_url),
);
if ('moderate' == $comment_action)
@@ -366,11 +365,11 @@ function update_user_comment($comment, $post_key)
$GLOBALS['user']['id'].'\'';
}
$query = '
UPDATE '.COMMENTS_TABLE.'
- SET content = \''.$comment['content'].'\',
+ SET content = \''.pwg_db_real_escape_string($comment['content']).'\',
website_url = '.(!empty($comment['website_url']) ? '\''.$comment['website_url'].'\'' : 'NULL').',
validated = \''.($comment_action=='validate' ? 'true':'false').'\',
validation_date = '.($comment_action=='validate' ? 'NOW()':'NULL').'
WHERE id = '.$comment['comment_id'].
$user_where_clause.'
Environment
Piwigo 13.0.0RC2 Check for upgrade
Operating system: Linux
PHP: 8.1.2 (Show info) [2022-08-24 13:49:26]
MySQL: 8.0.30-0ubuntu0.22.04.1 [2022-08-24 13:49:26]
Graphics Library: ImageMagick 6.9.11-60
Cache size N/A never calculated Refresh
Activated plugin list14
About 1 menu
Additional Pages
Admin Tools
Advanced Menu Manager
AlwaysShowMetadata
Community
Exif View
Force HTTPS
Grum Plugins Classes.3
LocalFiles Editor
Perso About
Personal Plugin
Photo added by
user delete photo
Regards
Phil
Offline