[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature

[Fritz Zaucker]

On Fri, 3 Aug 2001, Rich Lafferty wrote:

> On Fri, Aug 03, 2001 at 10:13:10PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> > Another comment on addslashes() says:
> >
> > 	Using blackslahes to escape characters is a proprietary
> >         extension that some databases have. If you want your SQL to be
> >         portable across databases, don't use it.

> Addslashes has been in the code there for ; the escaping
> appears to just be breaking now. Let's actually debug the code
> instead. The phrase "proprietary extension" there means nothing to me;
> I've never encountered an RDBMS that doesn't allow you to escape '
> (else you could never put ' in a record), and if you escape ' with \
> you have to escape \ too (else you could never put \ in a record).

I think this comment meant that using \ as escape character was none-standard.

> We don't even know what the problem /is/ yet, and there's no way you
> want to execute SQL containing user input without escaping dangerous
> characters.

Sure. But \ isn't special in SQL (or is it?), at least not if it is
not used as escape character.

> "Don't use it" is very bad advice. Keep in mind that the comments in
> the annotated PHP manual are added by users, and are often based on
> significant misunderstandings.

Sure, I am not really an SQL expert myself, just wanted to point it out.

> But I think I've found the problem; rather than bury it here, see my
> I've put it in its own message, so see my next reply.

Perfect. I guess this means that I don't have to run your signature
example and report back (I am using MySQL as you assumed).

Fritz

-- 
Dr. Fritz Zaucker, Head IT Support Group
Department of Electrical Engineering,  Federal Institute of Technology
ETZ J97, Gloriastrasse 35, CH-8092 Zurich, Switzerland
Tel.: +41-1-632-5241 Fax: +41-1-632-1194 http://people.ee.ethz.ch/~zaucker/
E-mail: zaucker@ee.ethz.ch (see home page for PGP key)