SQL Error when recipient name includes apostrophe

In version 2.1 and below, when friending from a person whose realname includes an apostrophe as in "Bob's Band", I get an sql error because the single tick is not escaped. Problem appears to be in cb pms plugin.

Upon further investigation, this seems to be a problem throughout uddeIM. It doesn't seem to use addslashes at all for any field that might have them, like message bodies, from realnames, to realnames, etc.

error listed below:

SQL errorDB function failed with error number 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Test Band', 0)' at line 1 SQL=INSERT INTO jos_uddeim (fromid, toid, message, datum, systemmessage, disablereply) VALUES (130, 65, 'You have a pending connection from Phill\'s Test Band (pband)! NOTE: This is a message generated automatically by the Connections system. It has the connecting user\'s address, so you can conveniently reply if you wish to.\n\nPhill\'s Test Band (pband) is requesting to connect with you and requires your approval. Please accept or deny the connection request accordingly. Phill\'s Test Band (pband) included the following personal message:\n \n friend me back!\n Manage Friends\n', 1293112712, 'Phill's Test Band', 0)
SQL =
INSERT INTO jos_uddeim (fromid, toid, message, datum, systemmessage, disablereply) VALUES (130, 65, 'You have a pending connection from Phill\'s Test Band (pband)!

NOTE: This is a message generated automatically by the Connections system. It has the connecting user\'s address, so you can conveniently reply if you wish to.\n\nPhill\'s Test Band (pband) is requesting to connect with you and requires your approval. Please accept or deny the connection request accordingly. Phill\'s Test Band (pband) included the following personal message:\n
\n
friend me back!\n

Manage Friends\n', 1293112712, 'Phill's Test Band', 0)

Post edited by: ptejad, at: 2010/12/23 20:17

Post edited by: ptejad, at: 2010/12/23 20:17

Post edited by: ptejad, at: 2010/12/23 20:28

Post edited by: ptejad, at: 2010/12/23 20:30

Do you use the CB PMS plugin that comes with uddeIM or the plugin that comes with CB?

I'm using the uddeIM supplied Plugin. I found where to fix the specific issue I was having, but I fear there may be other places within uddeIM itself where this may be an issue. I am testing now

BTW, if you would like to see my modified uddeIM/cb plug existing purely as a cb Tab, please go to musicwaffle.com and sign up. My username is "phill". It's really easy to do, I can send zipped modded code if you like.

thanks for the quick reply!

Post edited by: ptejad, at: 2010/12/23 21:01

Yes, that would be great. I plan to release uddeIM 2.2 shortly. If you like I could add it to the "3rd Party" folder (please add a README with your license and contact).

btw: The same error should be in CB PMS plugin since we share the same code here.

Could you try following:

[code:1] if ($doObfuscate) {
[...]
} else {
[...]
if (function_exists(mysql_real_escape_string))
$cm = mysql_real_escape_string($cm);
else
$cm = addslashes($cm);
$sql="INSERT INTO #__uddeim (fromid, toid, message, datum) [...]
}
[/code:1]

You will find this two times in pms.uddeim.php. It should work but may bring back the "\n" problem in emails which is well known in CB.