gnul wrote:
$sql = "update contacts set firstname = 'test's' where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,'91');
The above SQL is not using prepared statements correctly. Every parameter in a query that may be user-defined should use the "?". I don't know the exact syntax for db->query(), but the above should look something like this:
$sql = "update contacts set firstname = ? where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,"test's", "91");
Note there is NO escaping of single quotes. If using prepared statements correctly, you should never need to escape anything.
The problem is that the tables can be enhanced with new columns, that will require additions of more code than with current approach. Using ? placeholders for everything may workaround the bug in MDB2, but the bug still remains to be fixed. -- Dennis
List info: http://lists.roundcube.net/dev/