On Thu, Oct 16, 2008 at 9:08 PM, Dennis P. Nikolaenko <[EMAIL PROTECTED]> wrote: > till wrote: >> >> On Thu, Oct 16, 2008 at 9:03 PM, Dennis P. Nikolaenko >> <[EMAIL PROTECTED]> wrote: >> >>> >>> A.L.E.C wrote: >>> >>>> >>>> Ziba Scott wrote: >>>> >>>> >>>>> >>>>> Hi Mike, >>>>> >>>>> RC is using prepared statements. Even so, just quoting the character >>>>> might not be the total answer because ticket: 1463946 claims that if >>>>> this single quote were stored, it would cause problems down the line. >>>>> So there is still a question of escaping, storing and fixing later >>>>> problems or rejecting in the first place. >>>>> >>>>> >>>> >>>> In names should be allowed any character. For email field should be used >>>> regex. That's all. Also there's quoting in rcube_contacts: >>>> >>>> $a_insert_cols[] = $this->db->quoteIdentifier($col); >>>> $a_insert_values[] = $this->db->quote($save_data[$col]); >>>> >>>> so really, I don't see where's the problem. >>>> >>>> >>> >>> I think the problem lies in MDB2 the way it tries to avoid to substitute >>> '?' inside quoted strings when calling prepare(). It looks that query() >>> indirectly calls prepare() in MySQL MDB2 driver. >>> Is it the latest version in RC tree? >>> >> >> I think this is not a bug, but a feature. If I remember correctly >> there is auto-quoting (or maybe I saw it in another DBAL). >> >> > > MySQL MDD2 bails out on \' strings inside '-quoted strings, but it is a > perfectly legal to have such a string in SQL.
Yes, it's called "quoting data". You have to do it yourself. _______________________________________________ List info: http://lists.roundcube.net/dev/
