#1529 replying to notes causes illegal SQL
send a note to yourself that's something like this:
it's great!
What actually gets sent is:
it\'s great!
This is because the single-quote needs to be escaped,
so it doesn't terminate the SQL string that get's built.
Reply to this note (leaving the original text in) and
following error will occur:
DB Error: syntax error
select * from mod_notes where message = ' it\'s great!
----- admin wrote: < it\\'s great!!! ' and subject =
'Re: Sent note with subject \'isn\\'t this the
coolest?\' to all users.' and toUser = 'admin' and
fromUser = 'admin' [nativecode=1064 ** You have an
error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right
syntax to use near 's great!!! ' and subject = 'Re:
Sent note with subject \'isn\\]
since the same logic is applied to replace the
single-quote with "\'" the result will be "\\'"
(escape-\ and ') the string terminates.
A fix?
it is tricky to parse the string so it doesn't
terminate. one way would be to replace all \\ with \
after replacing all ' with \'
Logged In: YES
user_id=783140
I was not able to recreate this bug with the current CVS
version of notes using either standard user notes or the
admin multi-sent notes. I believe this was fixed when bug
#1183746 was fixed, which had similar problems. The problem
was with Multi-Send notes. The latest version of
NoteManager.php should fix this problem and will be included
in the next release.
Darren