Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-16694

Change selections of Price Set fails with ' in label name

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Minor
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.6.3
          • Fix Version/s: 4.6.5
          • Component/s: CiviContribute
          • Labels:
            None
          • Documentation Required?:
            None
          • Funding Source:
            Core Team Funds

            Description

            Just found out that in our configuration changing selections of Price Set fails because we have a ' in label name. (the label is: geen 'sterke schouder'-toeslag).
            I have no clue where to search for this, but doesn't this possible point to a security issue as the value is not properly cleaned before executed as a query?

            UPDATE civicrm_line_item li
            SET li.qty = 1,
            li.line_total = 0,
            li.tax_amount = NULL,
            li.unit_price = 0,
            li.label = 'geen 'sterke schouder'-toeslag'
            WHERE (li.entity_table = 'civicrm_participant' AND li.entity_id = 2120) AND
            (price_field_value_id = 23)
            [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sterke schouder'-toeslag'
            WHERE (li.entity_table = 'civicrm_participant' AND li.' at line 6]

              Attachments

                Activity

                  People

                  • Assignee:
                    monish.deb Monish Deb
                    Reporter:
                    magnolia61 Richard
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    3 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: