Hi,
Thanks for the response. There is at least one real problem I think we're all agreeing on:
Right now, if you put an apostrophe in the first or last name field of a contact and try and save it, mdb2 throws an error during prepare and the save fails. The quick solution may be to (as many people have reasonably suggested) just escape the sensitive characters.
This old ticket: http://trac.roundcube.net/ticket/1463946 Suggests a second problem: characters in contact fields other than email do impact the final string used to address the message.
Autocomplete concatenates contact fields when composing.
First name: John, Last Name: Doe, Email: jdoe@example.com becomes "John Doe jdoe@example.com".
If we allow anything into the first name field, then we allow autocomplete to put anything into the address fields on the compose screen.
Is that not a concern?
Thanks, Ziba
Webmaster Team University of Michigan
http://trac.roundcube.net/ticket/1463946
A.L.E.C wrote:
Ziba Scott wrote:
Hi Mike,
RC is using prepared statements. Even so, just quoting the character might not be the total answer because ticket: 1463946 claims that if this single quote were stored, it would cause problems down the line. So there is still a question of escaping, storing and fixing later problems or rejecting in the first place.
In names should be allowed any character. For email field should be used regex. That's all. Also there's quoting in rcube_contacts:
$a_insert_cols[] = $this->db->quoteIdentifier($col); $a_insert_values[] = $this->db->quote($save_data[$col]);
so really, I don't see where's the problem.
List info: http://lists.roundcube.net/dev/