Home/ Questions/Q 6960639
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T15:25:38+00:00

So I have a comments script I’ve written in Codeigniter that uses PHP and

  • 0

So I have a comments script I’ve written in Codeigniter that uses PHP and Jquery.

Basically, a user writes a comment and then hits submit. I then use AJAX to call a server side script to check, validate and insert the comment.

At the JQuery end I am escaping using the encodeURIComponent

$.ajax({
    url : 'http://domain.com/ajax/post_comment',
    type : 'post',
    data : encodeURIComponent( $(this).val() ),
    success : function(data){
                //more code here
            }
});

At the PHP end, as I say I’m using CodeIgniter, so I am escaping the comments using the Binding provided by CodeIgniter like below

$sql = "INSERT INTO video_comments VALUES(NULL, ?);
$this->db->query($sql,array($comment));

This works pretty well and can escape and insert 

!"£$%^&*()_+=-}{~@:?></.,#;][¬`|

Now the problem is that, it cannot insert '(single quote) or \(backslash)? I guess because it’s not escaping them properly?

One clue might be that it does allow me to insert \' which I guess escapes the single quote? But I would have thought CodeIgniters binding would take care of that at least?

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, don’t use encodeURIComponent. That’s not the intended use of it at all.
    Edit: Here’s a link discussing what that call is actually for: When are you supposed to use escape instead of encodeURI / encodeURIComponent?

    Second, I don’t see where you are escaping in the PHP code. CodeIgniter has built in escape functions, like escape_str:

    $sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";

    More info here:
    http://codeigniter.com/user_guide/database/queries.html

    • 0