<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>The vtiger forums
are down, and there is no immediately obvious way to log bugs for vtiger, so I'm
resorting to subscribing to your mailing to report a bug.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>Using version
502.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>On line 754 in
soap/vtigerolservice.php, there is this code:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006> $query =
"select vtiger_account.accountname<BR>accountname,vtiger_account.accountid
accountid from vtiger_account inner<BR>join vtiger_crmentity on
vtiger_crmentity.crmid=vtiger_account.accountid<BR>where
vtiger_crmentity.deleted=0 and
vtiger_account.accountname='"<BR>.$account_name."'";<BR></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>Besides being an
invite to a sql-injection attack, this also creates problems for the Outlook
plugin when a contact in Outlook has a company name with an apostrophe in it,
and that contact does not yet exist in vtiger. The contact John Smith,
with Bob's Pool Hall in the company name, for example, will create the very
unhelpful "Invalid return value from vtigerCRM" error message when you attempt
to sync using the Outlook plugin.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>Modifying line 754
to read:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006> $query =
"select vtiger_account.accountname<BR>accountname,vtiger_account.accountid
accountid from vtiger_account inner<BR>join vtiger_crmentity on
vtiger_crmentity.crmid=vtiger_account.accountid<BR>where
vtiger_crmentity.deleted=0 and
vtiger_account.accountname='"<BR>.addslashes($account_name)."'";<BR></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=779001314-14112006>while not the best
option for a fix, does cause the contact sync to begin working even with
apostrophes in the company name.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=779001314-14112006>jpt</DIV></SPAN></FONT></BODY></HTML>