[Vtigercrm-developers] Bug in soap/vtigerolservice.php
James Tillman
jamestillman at sevatechnologies.com
Tue Nov 14 06:20:08 PST 2006
The vtiger forums are down, and there is no immediately obvious way to
log bugs for vtiger, so I'm resorting to subscribing to your mailing to
report a bug.
Using version 502.
On line 754 in soap/vtigerolservice.php, there is this code:
$query = "select vtiger_account.accountname
accountname,vtiger_account.accountid accountid from vtiger_account inner
join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_account.accountid
where vtiger_crmentity.deleted=0 and vtiger_account.accountname='"
.$account_name."'";
Besides being an invite to a sql-injection attack, this also creates
problems for the Outlook plugin when a contact in Outlook has a company
name with an apostrophe in it, and that contact does not yet exist in
vtiger. The contact John Smith, with Bob's Pool Hall in the company
name, for example, will create the very unhelpful "Invalid return value
from vtigerCRM" error message when you attempt to sync using the Outlook
plugin.
Modifying line 754 to read:
$query = "select vtiger_account.accountname
accountname,vtiger_account.accountid accountid from vtiger_account inner
join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_account.accountid
where vtiger_crmentity.deleted=0 and vtiger_account.accountname='"
.addslashes($account_name)."'";
while not the best option for a fix, does cause the contact sync to
begin working even with apostrophes in the company name.
jpt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20061114/e0d8863f/attachment-0004.html
More information about the vtigercrm-developers
mailing list