Re: [otrs] Using apostrophes in the subject causing problems

This sounds like an sql escaping issue, where placeholders or proper quoting should be used for all the data, but isn't correct. (this is potentially a security issue too) I've filed a bug report about it http://bugs.otrs.org/show_bug.cgi?id=809 Sheline, Carl (LLU) wrote:

I'm using OTRS 1.3.2

When I create a phone ticket and type "someone's computer needs blah blah" in the subject and then finish out filling the rest of the ticket and then click on create I get this error message:

Error: called with 2 bind variables when 0 are needed, SQL: 'INSERT INTO article (ticket_id, article_type_id, article_sender_type_id, a_from, a_reply_to, a_to, a_cc, a_subject, a_message_id, a_body, a_content_type, content_path, valid_id, incoming_time, create_time, create_by, change_time, change_by) VALUES (36, 5, 3, '"csheline csheline" ', '', 'normal', '', 'carl\'s computer', '', ?, 'text/plain\; charset=iso-8859-15', ?, 1, 1120157813, current_timestamp, 2, current_timestamp, 2)'

So I hit the back button take out the apostrophe and create the ticket no problem.

But the error message generated a ticket ID without an article. I delete the ticket ID and everything seems ok.

I have 2 questions:

1. Can I use apostrophes at all?

2. Every time I get an error message like the one above will I get data corruption?

Thanks,

Carl Sheline School of Dentistry Loma Linda University _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System?