till wrote:
> On Thu, Oct 16, 2008 at 9:03 PM, Dennis P. Nikolaenko
> <[EMAIL PROTECTED]> wrote:
>
>> A.L.E.C wrote:
>>
>>> Ziba Scott wrote:
>>>
>>>
>>>> Hi Mike,
>>>>
>>>> RC is using prepared statements. Even so, just quoting the character
>>>> might not be the total answer because ticket: 1463946 claims that if
>>>> this single quote were stored, it would cause problems down the line.
>>>> So there is still a question of escaping, storing and fixing later
>>>> problems or rejecting in the first place.
>>>>
>>>>
>>> In names should be allowed any character. For email field should be used
>>> regex. That's all. Also there's quoting in rcube_contacts:
>>>
>>> $a_insert_cols[] = $this->db->quoteIdentifier($col);
>>> $a_insert_values[] = $this->db->quote($save_data[$col]);
>>>
>>> so really, I don't see where's the problem.
>>>
>>>
>> I think the problem lies in MDB2 the way it tries to avoid to substitute
>> '?' inside quoted strings when calling prepare(). It looks that query()
>> indirectly calls prepare() in MySQL MDB2 driver.
>> Is it the latest version in RC tree?
>>
>
> I think this is not a bug, but a feature. If I remember correctly
> there is auto-quoting (or maybe I saw it in another DBAL).
>
>
MySQL MDD2 bails out on \' strings inside '-quoted strings, but it is
a perfectly legal to have such a string in SQL.
--
Dennis
_______________________________________________
List info: http://lists.roundcube.net/dev/
