Since I moved my blog to a new web server, the PHP version has jumped from 5.2 to 5.4. I previously wrote about changes from mysql to mysqli where I already replace some mysql queries by mysqli queries. But shortly after these obvious changes, I stumbled upon a bug in my comment form: The form didn't accept single quotes (') anymore. But I was pretty sure, this has worked before.
So I compared the same form on the old web server again:
On the PHP 5.2 server the insert of the comment immediately worked. The output of the entered comment text looked like this:
This is a test on a web server. It\'s PHP version is 5.2.
But on the PHP 5.4 server, the following error message was shown:
Fehlermeldung=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's PHP version is 5.4.','1379575549')' at line 3
After some research, I came across the function mysql_real_escape_string (or mysqli_real_escape_string for mysqli), which does the job of escaping special characters.
Right before the SQL insert, I added the following line to let the whole comment text getting parset by mysql_real_escape_string:
$iText = mysql_real_escape_string($iText);
The comment form now worked again and the output looked kind of familiar:
This is a test on a web server. It\'s PHP version is 5.4.
It's actually funny that this has worked in PHP 5.2 without mysql_real_escape_string.