Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1529 replying to notes causes illegal SQL

N/A-1
closed-works-for-me
Darren Greene
5
2005-05-18
2005-05-18
No

send a note to yourself that's something like this:
it's great!

What actually gets sent is:
it\'s great!
This is because the single-quote needs to be escaped,
so it doesn't terminate the SQL string that get's built.

Reply to this note (leaving the original text in) and
following error will occur:

DB Error: syntax error
select * from mod_notes where message = ' it\'s great!
----- admin wrote: < it\\'s great!!! ' and subject =
'Re: Sent note with subject \'isn\\'t this the
coolest?\' to all users.' and toUser = 'admin' and
fromUser = 'admin' [nativecode=1064 ** You have an
error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right
syntax to use near 's great!!! ' and subject = 'Re:
Sent note with subject \'isn\\]

since the same logic is applied to replace the
single-quote with "\'" the result will be "\\'"
(escape-\ and ') the string terminates.

A fix?

it is tricky to parse the string so it doesn't
terminate. one way would be to replace all \\ with \ after replacing all ' with \'

Discussion

  • Darren Greene
    Darren Greene
    2005-05-18

    • assigned_to: nobody --> dg49379
    • status: open --> closed-works-for-me
     
  • Darren Greene
    Darren Greene
    2005-05-18

    Logged In: YES
    user_id=783140

    I was not able to recreate this bug with the current CVS
    version of notes using either standard user notes or the
    admin multi-sent notes. I believe this was fixed when bug
    #1183746 was fixed, which had similar problems. The problem
    was with Multi-Send notes. The latest version of
    NoteManager.php should fix this problem and will be included
    in the next release.

    Darren