send a note to yourself that's something like this:
What actually gets sent is:
This is because the single-quote needs to be escaped,
so it doesn't terminate the SQL string that get's built.
Reply to this note (leaving the original text in) and
following error will occur:
DB Error: syntax error
select * from mod_notes where message = ' it\'s great!
----- admin wrote: < it\\'s great!!! ' and subject =
'Re: Sent note with subject \'isn\\'t this the
coolest?\' to all users.' and toUser = 'admin' and
fromUser = 'admin' [nativecode=1064 ** You have an
error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right
syntax to use near 's great!!! ' and subject = 'Re:
Sent note with subject \'isn\\]
since the same logic is applied to replace the
single-quote with "\'" the result will be "\\'"
(escape-\ and ') the string terminates.
it is tricky to parse the string so it doesn't
terminate. one way would be to replace all \\ with \ after replacing all ' with \'