Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 1.1
-
Fix Version/s: 1.2
-
Component/s: Technical infrastructure
-
Labels:None
Description
Input data is not being properly escaped. I suspect this is a security issue as well as just causing an error:
Array
(
[callback] => Array
(
[0] => CRM_Core_Error
[1] => handle
)
[code] => -2
[message] => DB Error: syntax error
[mode] => 16
[debug_info] => SELECT * FROM civicrm_custom_option WHERE custom_field_id = '1' AND label = 'Women's Issues' [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Issues'' at line 1]
[type] => db_error
[user_info] => SELECT * FROM civicrm_custom_option WHERE custom_field_id = '1' AND label = 'Women's Issues' [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Issues'' at line 1]
[to_string] => [db_error: message="DB Error: syntax error" code=-2 mode=callback callback=CRM_Core_Error::handle prefix="" info="SELECT * FROM civicrm_custom_option WHERE custom_field_id = '1' AND label = 'Women's Issues' [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Issues'' at line 1]"]
)