On Wed, Oct 15, 2008 at 5:18 PM, Ziba Scott ziba@umich.edu wrote:
When editing contacts, some invalid characters are not stripped or handled in some way. They make it all the way to the sql statement before things trip up. (Using a prepare statement thankfully prevents injecting a second statement. More details in: http://trac.roundcube.net/ticket/1485504)
I can work on a patch, but I'd appreciate some guidance first:
Should the backend explicitly validate the input against a regular expression? What is valid/invalid? How should the interface report bad characters and/or failed contact saves to the user?
Thanks, Ziba
Webmaster Team University of Michigan
I replied, let me know if this helps. :)
Thanks for all input!
Till _______________________________________________ List info: http://lists.roundcube.net/dev/