> > $sql = "update contacts set firstname = 'test\'s' where contact_id=?"; > $sql_result = $RCMAIL->db->query($sql,'91'); >
The above SQL is not using prepared statements correctly. Every parameter in a query that may be user-defined should use the "?". I don't know the exact syntax for db->query(), but the above should look something like this: $sql = "update contacts set firstname = ? where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,"test's", "91"); Note there is NO escaping of single quotes. If using prepared statements correctly, you should never need to escape anything. -gnul _______________________________________________ List info: http://lists.roundcube.net/dev/
