for Project:

Task #235 — query does not honor the slashed single quote

Attached to Project— EZPDO
Opened by Fenumeor (Fenumeor) - Thursday, 25 Oct 2007, 10:13am
Bug Report
Object query
Unconfirmed
No-one
All
High
Normal
CVS
Undecided
0% complete
For example: 

$_POST['keyword'] = "a\\' b c";

$data = $this->db->find("from Dwelling where title like '".$_POST['keyword']."'");
the resulting sql is like this:
SELECT DISTINCT _1.* FROM "ezpdo_Dwelling" AS "_1" WHERE "_1"."title" LIKE 'a\''bc'
which is absolutely not as expected.

I think this is pretty critical, as it could allow SQL injection.
This task depends upon

This task blocks these from closing

Comments (0) | Attachments (0) | Related Tasks (0/0) | Notifications (1) | Reminders (0) | History |

Get Chitika eMiniMalls
Copyright © 2004-2005 EZPDO.NET | All rights reserved | Powered by WordPress, DokuWiki, dwBliki, PunBB and FlySpray.