gnul wrote: >> $sql = "update contacts set firstname = 'test\'s' where contact_id=?"; >> $sql_result = $RCMAIL->db->query($sql,'91'); >> >> > > The above SQL is not using prepared statements correctly. Every > parameter in a query that may be user-defined should use the "?". I > don't know the exact syntax for db->query(), but the above should look > something like this: > > $sql = "update contacts set firstname = ? where contact_id=?"; > $sql_result = $RCMAIL->db->query($sql,"test's", "91"); > > Note there is NO escaping of single quotes. If using prepared > statements correctly, you should never need to escape anything. > The problem is that the tables can be enhanced with new columns, that will require additions of more code than with current approach. Using ? placeholders for everything may workaround the bug in MDB2, but the bug still remains to be fixed. -- Dennis
_______________________________________________ List info: http://lists.roundcube.net/dev/
