View Issue Details

IDProjectCategoryView StatusLast Update
0004603SOGoBackend Generalpublic2022-04-27 18:10
Reporternenonano Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSRHEL/CentOSOS Version6
Product Version4.0.4 
Summary0004603: ' char not escaped in query
Description

I see this error in my logs:

cannot execute quick-fetch SQL 'SELECT c_name, c_cn, c_givenname, c_sn, c_screenname, c_o, c_mail, c_telephonenumber, c_categories, c_component, c_hascertificate FROM sogoadmin0016d7c580b_quick WHERE ((UPPER(c_sn) LIKE UPPER('%d'adamo%')) OR (UPPER(c_givenname) LIKE UPPER('%d'adamo%')) OR (UPPER(c_cn) LIKE UPPER('%d'adamo%')) OR (UPPER(c_mail) LIKE UPPER('%d'adamo%')) OR (UPPER(c_categories) LIKE UPPER('%d'adamo%')) OR (UPPER(c_o) LIKE UPPER('%d'adamo%')))': <MySQL4Exception: 0x55dbc0d69818> NAME:ExecutionFailed REASON:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%')) OR (UPPER(c_givenname) LIKE UPPER('%d'adamo%')) OR (UPPER(c_cn) LIKE UPPER(' at line 1

as you can see, the ' in the "d'adamo' string is not escaped.
such a char is quite popular in italian surnames

TagsNo tags attached.

Activities

francis

francis

2022-04-27 18:10

administrator   ~0016010

Fixed a while ago.

Issue History

Date Modified Username Field Change
2018-11-22 08:14 nenonano New Issue
2022-04-27 18:10 francis Assigned To => francis
2022-04-27 18:10 francis Status new => resolved
2022-04-27 18:10 francis Resolution open => fixed
2022-04-27 18:10 francis Note Added: 0016010