till wrote:
On Thu, Oct 16, 2008 at 9:08 PM, Dennis P. Nikolaenko dennis@nikolaenko.ru wrote:
till wrote:
On Thu, Oct 16, 2008 at 9:03 PM, Dennis P. Nikolaenko dennis@nikolaenko.ru wrote:
A.L.E.C wrote:
Ziba Scott wrote:
Hi Mike,
RC is using prepared statements. Even so, just quoting the character might not be the total answer because ticket: 1463946 claims that if this single quote were stored, it would cause problems down the line. So there is still a question of escaping, storing and fixing later problems or rejecting in the first place.
In names should be allowed any character. For email field should be used regex. That's all. Also there's quoting in rcube_contacts:
$a_insert_cols[] = $this->db->quoteIdentifier($col); $a_insert_values[] = $this->db->quote($save_data[$col]);
so really, I don't see where's the problem.
I think the problem lies in MDB2 the way it tries to avoid to substitute '?' inside quoted strings when calling prepare(). It looks that query() indirectly calls prepare() in MySQL MDB2 driver. Is it the latest version in RC tree?
I think this is not a bug, but a feature. If I remember correctly there is auto-quoting (or maybe I saw it in another DBAL).
MySQL MDD2 bails out on ' strings inside '-quoted strings, but it is a perfectly legal to have such a string in SQL.
Yes, it's called "quoting data". You have to do it yourself.
Err, that is not MySQL driver specific, actually. In _skipDelimitedStrings() I get for $query when saving my identity:
SET name
='Dennis P. Nikolaenko', email
='dennis@nikolaenko.ru',
organization
='foo'', reply-to
='', bcc
='', standard
='1',
signature
='Regards,\r\nDennis P. Nikolaenko', html_signature
=0
WHERE identity_id=?
AND user_id=?
AND del<>1
This is legal SQL. But _skipDelimitedStrings() essentially counts ' to get the idea where strings start and end. It does not handle the case when string contains embedded ' -- Dennis _______________________________________________ List info: http://lists.roundcube.net/dev/