I agree with gnul - thanks for outlining the issue that way. As I
already said before - if prepared statements are used correctly there
is no need for quoting!
--
Michael Baierl
http://mbaierl.com/
On 17.10.2008, at 20:45, "Dennis P. Nikolaenko"
dennis@nikolaenko.ru
wrote:
> gnul wrote:
>>> $sql = "update contacts set firstname = 'test's' where
>>> contact_id=?";
>>> $sql_result = $RCMAIL->db->query($sql,'91');
>>>
>>>
>>
>> The above SQL is not using prepared statements correctly. Every
>> parameter in a query that may be user-defined should use the "?". I
>> don't know the exact syntax for db->query(), but the above should
>> look
>> something like this:
>>
>> $sql = "update contacts set firstname = ? where contact_id=?";
>> $sql_result = $RCMAIL->db->query($sql,"test's", "91");
>>
>> Note there is NO escaping of single quotes. If using prepared
>> statements correctly, you should never need to escape anything.
>>
> The problem is that the tables can be enhanced with new columns, that
> will require additions of more code than with current approach.
> Using ? placeholders for everything may workaround the bug in MDB2,
> but
> the bug still remains to be fixed.
> --
> Dennis
>
> _______________________________________________
> List info:
http://lists.roundcube.net/dev/
_______________________________________________
List info:
http://lists.roundcube.net/dev/