ZC Version:
1.3.7
Filename:
/admin/orders.php
Problem:
When updating orders (status), a MySQL error is raised when choosing "notify customer" if the email addresses contains an apostrophy.
Solution:
Properly escape the email address in the resulting sql query used for the customer notification.
Comments:
An apostrophe, though uncommon, is a valid character in an email address. All queries that contain items that may have such characters should always be escaped before the query is executed. Technically, ALL queries should be escaped before execution just to be safe.
Results 1 to 3 of 3
-
20 Apr 2007, 04:50 PM #1
New Zenner
- Join Date
- Mar 2007
- Location
- Lakeland, FL, US
- Posts
- 44
- Plugin Contributions
- 2
[Done v1.3.8] Apostrophes in customer emails results in MySQL errors
-
24 Apr 2007, 05:47 AM #2
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: Apostrophes in customer emails results in MySQL errors
The exact SQL error would be a great help in tracking this down.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
24 Apr 2007, 07:10 AM #3
Sensei
- Join Date
- Jan 2004
- Posts
- 66,373
- Blog Entries
- 7
- Plugin Contributions
- 274
Re: Apostrophes in customer emails results in MySQL errors
If it's the message I *think* you're getting, this should fix it:
/includes/functions/functions_email.php
around line 110 you'll find this:Change it to this:Code://determine customer's email preference type: HTML or TEXT-ONLY (HTML assumed if not specified) $customers_email_format_read = $db->Execute("select customers_email_format from " . TABLE_CUSTOMERS . " where customers_email_address= '" . $to_email_address . "'");Code://determine customer's email preference type: HTML or TEXT-ONLY (HTML assumed if not specified) $customers_email_format_read = $db->Execute("select customers_email_format from " . TABLE_CUSTOMERS . " where customers_email_address= '" . zen_db_input($to_email_address) . "'");.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Similar Threads
-
Apostrophes in text boxes cause MySQL error using Supertracker
By cowgirlmodel in forum All Other Contributions/AddonsReplies: 5Last Post: 8 Apr 2009, 12:08 AM -
[Done 1.3.8] Apostrophes in any order data w/ authorize.net database logging on
By bjornarl in forum Bug ReportsReplies: 9Last Post: 20 Sep 2008, 02:55 AM -
MySQL bottlneck - getting mysql errors
By ksoup in forum General QuestionsReplies: 25Last Post: 3 May 2008, 06:35 PM -
[Done v1.3.8] Apostrophes in product names
By BlindSide in forum Bug ReportsReplies: 6Last Post: 18 Dec 2007, 02:57 AM -
[Done 1.5.0] 'search results per page' never gives search results other than 10
By jeffmic in forum Bug ReportsReplies: 8Last Post: 5 Dec 2006, 10:52 PM
Bookmarks