[RCD] Handling invalid address book entries
gnul
nullchar at gmail.com
Fri Oct 17 20:17:16 CEST 2008
>
> $sql = "update contacts set firstname = 'test\'s' where contact_id=?";
> $sql_result = $RCMAIL->db->query($sql,'91');
>
The above SQL is not using prepared statements correctly. Every
parameter in a query that may be user-defined should use the "?". I
don't know the exact syntax for db->query(), but the above should look
something like this:
$sql = "update contacts set firstname = ? where contact_id=?";
$sql_result = $RCMAIL->db->query($sql,"test's", "91");
Note there is NO escaping of single quotes. If using prepared
statements correctly, you should never need to escape anything.
-gnul
_______________________________________________
List info: http://lists.roundcube.net/dev/
More information about the Dev
mailing list