April 14th, 2013, 04:53 AM
Special characters help in feedback form
On one of my customers websites, I have a feedback form that automatically adds the feedback to the testimonials page by adding it to the testimonials database table and displays it on the testimonials page
I have noticed that if a special character like a ' or something, the feedback is not added
I can't remember how to do it so that the feedback is added if it has a special character in the text
Can someone help please
April 14th, 2013, 05:04 AM
I augur ill.
This sounds like you've got an SQL injection vulnerability in your code, caused by inserting unescaped variables into query strings. The quote issue is just a very mild effect of this. What's much worse is that anybody can manipulate the queries and gain unauthorized access to the database.
To give you a definite answer, we need to see the concrete code, though.
April 14th, 2013, 05:17 AM
Thank you for your reply
I have hidden the coding as was insecure
Last edited by ianhaney; April 14th, 2013 at 05:41 AM.
Reason: insecure coding
April 14th, 2013, 05:27 AM
Yes, your code is indeed vulnerable to SQL injections, which is a disaster. Let's hope nobody has exploited that yet.
You need to fix those vulnerabilities now and learn how to write secure code. Check the link in my URL and then go through every query to escape the values.
April 14th, 2013, 05:33 AM
Sorry what link do I need to click on
April 14th, 2013, 05:58 AM