Re: [RCD] Handling invalid address book entries

Thu, 16 Oct 2008 12:20:56 -0700 

till wrote:
> On Thu, Oct 16, 2008 at 9:08 PM, Dennis P. Nikolaenko
> <[EMAIL PROTECTED]> wrote:
>   
>> till wrote:
>>     
>>> On Thu, Oct 16, 2008 at 9:03 PM, Dennis P. Nikolaenko
>>> <[EMAIL PROTECTED]> wrote:
>>>
>>>       
>>>> A.L.E.C wrote:
>>>>
>>>>         
>>>>> Ziba Scott wrote:
>>>>>
>>>>>
>>>>>           
>>>>>> Hi Mike,
>>>>>>
>>>>>> RC is using prepared statements.  Even so, just quoting the character
>>>>>> might not be the total answer because ticket: 1463946 claims that if
>>>>>> this single quote were stored,  it would cause problems down the line.
>>>>>> So there is still a question of escaping, storing and fixing later
>>>>>> problems or rejecting in the first place.
>>>>>>
>>>>>>
>>>>>>             
>>>>> In names should be allowed any character. For email field should be used
>>>>> regex. That's all. Also there's quoting in rcube_contacts:
>>>>>
>>>>> $a_insert_cols[] = $this->db->quoteIdentifier($col);
>>>>> $a_insert_values[] = $this->db->quote($save_data[$col]);
>>>>>
>>>>> so really, I don't see where's the problem.
>>>>>
>>>>>
>>>>>           
>>>> I think the problem lies in MDB2 the way it tries to avoid to substitute
>>>> '?' inside quoted strings when calling prepare(). It looks that query()
>>>> indirectly calls prepare() in MySQL MDB2 driver.
>>>> Is it the latest version in RC tree?
>>>>
>>>>         
>>> I think this is not a bug, but a feature. If I remember correctly
>>> there is auto-quoting (or maybe I saw it in another DBAL).
>>>
>>>
>>>       
>> MySQL MDD2 bails out on \'   strings inside '-quoted strings, but it is a
>> perfectly legal to have such a string in SQL.
>>     
>
> Yes, it's called "quoting data". You have to do it yourself.
>   
Err, that is not MySQL driver specific, actually.
In _skipDelimitedStrings() I get for $query when saving my identity:

SET `name`='Dennis P. Nikolaenko', `email`='[EMAIL PROTECTED]', 
`organization`='foo\'', `reply-to`='', `bcc`='', `standard`='1', 
`signature`='Regards,\r\nDennis P. Nikolaenko', `html_signature`=0
       WHERE  identity_id=?
       AND    user_id=?
       AND    del<>1

This is legal SQL. But _skipDelimitedStrings() essentially counts ' to 
get the idea where strings start and end. It does not handle the case 
when string contains embedded \'
--
Dennis
_______________________________________________
List info: http://lists.roundcube.net/dev/

Reply via email to