On Thu, Oct 16, 2008 at 9:03 PM, Dennis P. Nikolaenko <[EMAIL PROTECTED]> wrote: > A.L.E.C wrote: >> Ziba Scott wrote: >> >>> Hi Mike, >>> >>> RC is using prepared statements. Even so, just quoting the character >>> might not be the total answer because ticket: 1463946 claims that if >>> this single quote were stored, it would cause problems down the line. >>> So there is still a question of escaping, storing and fixing later >>> problems or rejecting in the first place. >>> >> >> In names should be allowed any character. For email field should be used >> regex. That's all. Also there's quoting in rcube_contacts: >> >> $a_insert_cols[] = $this->db->quoteIdentifier($col); >> $a_insert_values[] = $this->db->quote($save_data[$col]); >> >> so really, I don't see where's the problem. >> > I think the problem lies in MDB2 the way it tries to avoid to substitute > '?' inside quoted strings when calling prepare(). It looks that query() > indirectly calls prepare() in MySQL MDB2 driver. > Is it the latest version in RC tree?
I think this is not a bug, but a feature. If I remember correctly there is auto-quoting (or maybe I saw it in another DBAL). Till _______________________________________________ List info: http://lists.roundcube.net/dev/
