A.L.E.C wrote:
Ziba Scott wrote:
Hi Mike,
RC is using prepared statements. Even so, just quoting the character might not be the total answer because ticket: 1463946 claims that if this single quote were stored, it would cause problems down the line. So there is still a question of escaping, storing and fixing later problems or rejecting in the first place.
In names should be allowed any character. For email field should be used regex. That's all. Also there's quoting in rcube_contacts:
$a_insert_cols[] = $this->db->quoteIdentifier($col); $a_insert_values[] = $this->db->quote($save_data[$col]);
so really, I don't see where's the problem.
I think the problem lies in MDB2 the way it tries to avoid to substitute '?' inside quoted strings when calling prepare(). It looks that query() indirectly calls prepare() in MySQL MDB2 driver. Is it the latest version in RC tree? -- Dennis _______________________________________________ List info: http://lists.roundcube.net/dev/