[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature
Rich Lafferty
rich@horde.org
Fri, 3 Aug 2001 20:55:56 -0400
On Fri, Aug 03, 2001 at 10:13:10PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> Another comment on addslashes() says:
>
> Using blackslahes to escape characters is a proprietary
> extension that some databases have. If you want your SQL to be
> portable across databases, don't use it.
Addslashes has been in the code there for ; the escaping
appears to just be breaking now. Let's actually debug the code
instead. The phrase "proprietary extension" there means nothing to me;
I've never encountered an RDBMS that doesn't allow you to escape '
(else you could never put ' in a record), and if you escape ' with \
you have to escape \ too (else you could never put \ in a record).
We don't even know what the problem /is/ yet, and there's no way you
want to execute SQL containing user input without escaping dangerous
characters. Consider
UPDATE imp_pref SET sig = '$sig' WHERE USER = '...';
where the user has just set their sig to
' WHERE USER = 'me'; DROP DATABASE horde; COMMIT; '
"Don't use it" is very bad advice. Keep in mind that the comments in
the annotated PHP manual are added by users, and are often based on
significant misunderstandings.
But I think I've found the problem; rather than bury it here, see my
I've put it in its own message, so see my next reply.
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Montreal, Quebec, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------