We had a customer sign up with an apostrophe in their last name and this caused a SQL error in modules/payment/cardonfile.php.
I replaced this on line 39:
$sql = "SELECT customers_id FROM customers WHERE customers_firstname = '{$order->customer['firstname']}' AND customers_lastname = '{$order->customer['lastname']}'";
with this:
$lastname = addslashes($order->customer['lastname']);
$firstname = addslashes($order->customer['firstname']);
$sql = "SELECT customers_id FROM customers WHERE customers_firstname = '{$firstname}' AND customers_lastname = '{$lastname}'";
We have ver. v1.3.9b.
I am surprised this has not come up before!
Bookmarks