So I have a comments script I've written in Codeigniter that uses PHP and Jquery.
Basically, a user writes a comment and then hits submit. I then use AJAX to call a server side script to check, validate and insert the comment.
At the JQuery end I am escaping using the encodeURIComponent
$.ajax({
url : 'http://domain.com/ajax/post_comment',
type : 'post',
data : encodeURIComponent( $(this).val() ),
success : function(data){
//more code here
}
});
At the PHP end, as I say I'm using CodeIgniter, so I am escaping the comments using the Binding provided by CodeIgniter like below
$sql = "INSERT INTO video_comments VALUES(NULL, ?);
$this->db->query($sql,array($comment));
This works pretty well and can escape and insert
!"£$%^&*()_+=-}{~@:?></.,#;][¬`|
Now the problem is that, it cannot insert '
(single quote) or \
(backslash)? I guess because it's not escaping them properly?
One clue might be that it does allow me to insert \'
which I guess escapes the single quote? But I would have thought CodeIgniters binding would take care of that at least?
Any ideas?