HI all - I am not a web person. I used to employ a web developer who left and since then I have a problem I can’t resolve! I have a website with a database (php & MySQL) that is having issues. Issue 1 is when I try to add a new record on the CMS to the database that contains an apostrophe, the record won’t save, and won’t get added to the website. Issue 2 is that when an email enquiry is sent to us from the website, if it contains an apostrophe it adds the enquiry to the database, but won’t then send an email advising that we have had an enquiry about the website). I am literally clueless about this but need to find a starting point as to where to go with this problem.
Not sure if it is relevant but the cPanel had an upgrade at around the same time that this issue started…?
Please someone!! You are my only hope!
For the apostrophe, try to save it as
mawburn''s
or if that doesn’t work, then
mawburn\\'s
Sounds like bad coding, so those extra characters might show up in the result, but one of them should save.
If the first one works, then you have a worse problem… you’re probably open to SQL Injection. Which would mean someone could type:
mawburn'; DROP TABLE users;
And delete the entire user database. Basically, someone could easily have full control of your entire database to add, delete, and remove anything they want. You may think “oh well we’re just a small website, nobody will bother us” but you’re wrong. There are people who comb the internet just looking for places to mess with for fun.
I don’t know how you could fix the second issue, but it sounds like root cause is the same sort of situation.
There is a PHP function called addslashes() that you can probably use to fix this problem, but you’ll have to find someone who knows what they’re doing to add it in the right place in the code. This function escapes single quotes by putting a \ in front of them.
Disclaimer: It’s been ages since I’ve done much PHP so there may now be a better way to do this.
Thank you. I’ll check this out. There have a been a few other issues that have been caused (so I’m told) by someone trying to change MySQL stuff into MySQLi - but not very well. I wonder if the two are related? Thanks for your help!
I don’t know much about this stuff, but one suggestion would be to update the CMS. PHP was recently updated on my CPanel server, and this caused similar issues in a few sites where the CMS hadn’t been updated for a while. Updating the CMS software to the latest version fixed the issue. It might also be worth googling the issue and include the name of the CMS, as I’ve never come across a CMS issue that someone else hadn’t already encountered and asked about online. If possible, include the PHP or database error report in the search.
Could be so many things.
Any data being sent to query should be escaped to handle apostrophes.
You might find something like this just before the insert query.
$name = mysql_real_escape_string($_POST['name']);
Now if that person has changed connection type, the line above won’t work anymore. It would need the DB connection variable added and use the mysqi version.
$name = mysqli_real_escape_string ($db, $_POST['name']);