Ziba Scott wrote: > Hi Mike, > > RC is using prepared statements. Even so, just quoting the character > might not be the total answer because ticket: 1463946 claims that if > this single quote were stored, it would cause problems down the line. > So there is still a question of escaping, storing and fixing later > problems or rejecting in the first place.
In names should be allowed any character. For email field should be used regex. That's all. Also there's quoting in rcube_contacts: $a_insert_cols[] = $this->db->quoteIdentifier($col); $a_insert_values[] = $this->db->quote($save_data[$col]); so really, I don't see where's the problem. -- Aleksander 'A.L.E.C' Machniak http://alec.pl gg:2275252 LAN Management System Developer http://lms.org.pl Roundcube Webmail Developer http://roundcube.net _______________________________________________ List info: http://lists.roundcube.net/dev/
