[Vtigercrm-developers] Bug in soap/vtigerolservice.php

[Jeri John]

Dear James,
              Thanks for your fix.We have integrated this and checked in to SVN.
The revision is 9840.

Thanks & Regards,
Jerry.


---- On Tue, 14 Nov 2006 James Tillman <jamestillman at sevatechnologies.com> wrote ---- 

The vtiger forums are down, and there is no immediately obvious way to log bugs for vtiger, so I'm resorting to subscribing to your mailing to report a bug.
 
Using version 502.
 
On line 754 in soap/vtigerolservice.php, there is this code:
 
        $query = "select vtiger_account.accountname
accountname,vtiger_account.accountid accountid from vtiger_account inner
join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_account.accountid
where vtiger_crmentity.deleted=0 and vtiger_account.accountname='"
.$account_name."'";

Besides being an invite to a sql-injection attack, this also creates problems for the Outlook plugin when a contact in Outlook has a company name with an apostrophe in it, and that contact does not yet exist in vtiger.  The contact John Smith, with Bob's Pool Hall in the company name, for example, will create the very unhelpful "Invalid return value from vtigerCRM" error message when you attempt to sync using the Outlook plugin.
 
Modifying line 754 to read:
 
        $query = "select vtiger_account.accountname
accountname,vtiger_account.accountid accountid from vtiger_account inner
join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_account.accountid
where vtiger_crmentity.deleted=0 and vtiger_account.accountname='"
.addslashes($account_name)."'";

while not the best option for a fix, does cause the contact sync to begin working even with apostrophes in the company name.
 
jpt

_______________________________________________
Reach hundreds of potential candidates - http://jobs.vtiger.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20061115/32ed6281/attachment-0004.html