Ticket #311 (closed defect: fixed)
Apostrophe in Invoice Memo Line Breaks phpBMS
| Reported by: | leftlink | Owned by: | brieb |
|---|---|---|---|
| Priority: | major | Milestone: | unknown |
| Component: | phpbms | Version: | trunk |
| Keywords: | Cc: |
Description
I found a serious problem when I entered the name of a client in the memo line of an invoice. The client includes the word "Angie's" and the apostrophe is not escaped properly before it is submitted to MySQL.
The result is a mysql error as follows when the button to Save the invoice is clicked.
This should be fixed immediately as it might allow malicious code to be submitted into MySQL.
-rich
##### error message after this line
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's', 0, 0, 0, 60, 1, 3, 2, ' at line 20
Statement: INSERT INTO lineitems( invoiceid, productid, memo, taxable, unitweight, unitcost, unitprice, quantity, displayorder, createdby, creationdate, modifiedby, modifieddate ) VALUES ( 1000, 1, 'Angie's', 0, 0, 0, 60, 1, 3, 2, NOW(), 2, NOW() )
