$sql = "update contacts set firstname = 'test's' where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,'91');
The above SQL is not using prepared statements correctly. Every parameter in a query that may be user-defined should use the "?". I don't know the exact syntax for db->query(), but the above should look something like this:
$sql = "update contacts set firstname = ? where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,"test's", "91");
Note there is NO escaping of single quotes. If using prepared statements correctly, you should never need to escape anything.
-gnul _______________________________________________ List info: http://lists.roundcube.net/dev/