[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature

Rich Lafferty rich@horde.org
Fri, 3 Aug 2001 20:55:56 -0400


On Fri, Aug 03, 2001 at 10:13:10PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> Another comment on addslashes() says:
> 
> 	Using blackslahes to escape characters is a proprietary
>         extension that some databases have. If you want your SQL to be
>         portable across databases, don't use it.

Addslashes has been in the code there for ; the escaping
appears to just be breaking now. Let's actually debug the code
instead. The phrase "proprietary extension" there means nothing to me;
I've never encountered an RDBMS that doesn't allow you to escape '
(else you could never put ' in a record), and if you escape ' with \
you have to escape \ too (else you could never put \ in a record).
 
We don't even know what the problem /is/ yet, and there's no way you
want to execute SQL containing user input without escaping dangerous
characters. Consider

  UPDATE imp_pref SET sig = '$sig' WHERE USER = '...';

where the user has just set their sig to 

  ' WHERE USER = 'me'; DROP DATABASE horde; COMMIT; '

"Don't use it" is very bad advice. Keep in mind that the comments in
the annotated PHP manual are added by users, and are often based on
significant misunderstandings.

But I think I've found the problem; rather than bury it here, see my
I've put it in its own message, so see my next reply. 

  -Rich

-- 
Rich Lafferty --------------+-----------------------------------------------
 Montreal, Quebec, Canada   |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------