I agree with gnul - thanks for outlining the issue that way. As I already said before - if prepared statements are used correctly there is no need for quoting!
Dennis, Could you please elaborate a bit more on that issue? I don't quite understand what you are trying to say. If the bug is fixed so it not longer crashed the SQL statement, what remains unfixed? lg, Mike -- Michael Baierl <http://mbaierl.com/> On 17.10.2008, at 20:45, "Dennis P. Nikolaenko" <[EMAIL PROTECTED]> wrote: > gnul wrote: >>> $sql = "update contacts set firstname = 'test\'s' where >>> contact_id=?"; >>> $sql_result = $RCMAIL->db->query($sql,'91'); >>> >>> >> >> The above SQL is not using prepared statements correctly. Every >> parameter in a query that may be user-defined should use the "?". I >> don't know the exact syntax for db->query(), but the above should >> look >> something like this: >> >> $sql = "update contacts set firstname = ? where contact_id=?"; >> $sql_result = $RCMAIL->db->query($sql,"test's", "91"); >> >> Note there is NO escaping of single quotes. If using prepared >> statements correctly, you should never need to escape anything. >> > The problem is that the tables can be enhanced with new columns, that > will require additions of more code than with current approach. > Using ? placeholders for everything may workaround the bug in MDB2, > but > the bug still remains to be fixed. > -- > Dennis > > _______________________________________________ > List info: http://lists.roundcube.net/dev/ _______________________________________________ List info: http://lists.roundcube.net/dev/
