[RCD] Handling invalid address book entries
Dennis P. Nikolaenko
dennis at nikolaenko.ru
Fri Oct 17 20:45:16 CEST 2008
>> $sql = "update contacts set firstname = 'test\'s' where contact_id=?";
>> $sql_result = $RCMAIL->db->query($sql,'91');
> The above SQL is not using prepared statements correctly. Every
> parameter in a query that may be user-defined should use the "?". I
> don't know the exact syntax for db->query(), but the above should look
> something like this:
> $sql = "update contacts set firstname = ? where contact_id=?";
> $sql_result = $RCMAIL->db->query($sql,"test's", "91");
> Note there is NO escaping of single quotes. If using prepared
> statements correctly, you should never need to escape anything.
The problem is that the tables can be enhanced with new columns, that
will require additions of more code than with current approach.
Using ? placeholders for everything may workaround the bug in MDB2, but
the bug still remains to be fixed.
List info: http://lists.roundcube.net/dev/
More information about the Dev