Re: [RCD] Handling invalid address book entries

17 Oct 2008


      ...
$sql = "update contacts set firstname = 'test's' where contact_id=?";
$sql_result = $RCMAIL->db->query($sql,'91');
The above SQL is not using prepared statements correctly.  Every
parameter in a query that may be user-defined should use the "?".  I
don't know the exact syntax for db->query(), but the above should look
something like this:
$sql = "update contacts set firstname = ? where contact_id=?";
$sql_result = $RCMAIL->db->query($sql,"test's", "91");
Note there is NO escaping of single quotes.  If using prepared
statements correctly, you should never need to escape anything.
-gnul
_______________________________________________
List info: http://lists.roundcube.net/dev/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [RCD] Handling invalid address book entries