Re: [RCD] Handling invalid address book entries

[Ziba Scott]

gnul wrote:
>> $sql = "update contacts set firstname = 'test\'s' where contact_id=?";
>> $sql_result = $RCMAIL->db->query($sql,'91');
>>     
>
> The above SQL is not using prepared statements correctly.  Every
> parameter in a query that may be user-defined should use the "?".
Thank you for pointing that out.  My example is modeled after what's
really going on in rcube_contacts::update()
_______________________________________________
List info: http://lists.roundcube.net/dev/