Ziba Scott wrote:
Hi Mike,
RC is using prepared statements. Even so, just quoting the character might not be the total answer because ticket: 1463946 claims that if this single quote were stored, it would cause problems down the line. So there is still a question of escaping, storing and fixing later problems or rejecting in the first place.
In names should be allowed any character. For email field should be used regex. That's all. Also there's quoting in rcube_contacts:
$a_insert_cols[] = $this->db->quoteIdentifier($col); $a_insert_values[] = $this->db->quote($save_data[$col]);
so really, I don't see where's the problem.