<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body ><br>Dear James,<br> Thanks for your fix.We have integrated this and checked in to SVN.<br>The revision is 9840.<br><br>Thanks & Regards,<br>Jerry.<br><br><br>---- On Tue, 14 Nov 2006 <b>James Tillman <jamestillman@sevatechnologies.com></b> wrote ---- <br><br><blockquote style="border-left: 1px solid rgb(160, 154, 255); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>
<div><font face="Arial" size="2"><span class="779001314-14112006">The vtiger forums
are down, and there is no immediately obvious way to log bugs for vtiger, so I'm
resorting to subscribing to your mailing to report a bug.</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006">Using version
502.</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006">On line 754 in
soap/vtigerolservice.php, there is this code:</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006"> $query =
"select vtiger_account.accountname<br>accountname,vtiger_account.accountid
accountid from vtiger_account inner<br>join vtiger_crmentity on
vtiger_crmentity.crmid=vtiger_account.accountid<br>where
vtiger_crmentity.deleted=0 and
vtiger_account.accountname='"<br>.$account_name."'";<br></span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006">Besides being an
invite to a sql-injection attack, this also creates problems for the Outlook
plugin when a contact in Outlook has a company name with an apostrophe in it,
and that contact does not yet exist in vtiger. The contact John Smith,
with Bob's Pool Hall in the company name, for example, will create the very
unhelpful "Invalid return value from vtigerCRM" error message when you attempt
to sync using the Outlook plugin.</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006">Modifying line 754
to read:</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006"> $query =
"select vtiger_account.accountname<br>accountname,vtiger_account.accountid
accountid from vtiger_account inner<br>join vtiger_crmentity on
vtiger_crmentity.crmid=vtiger_account.accountid<br>where
vtiger_crmentity.deleted=0 and
vtiger_account.accountname='"<br>.addslashes($account_name)."'";<br></span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006">while not the best
option for a fix, does cause the contact sync to begin working even with
apostrophes in the company name.</span></font></div>
<div><font face="Arial" size="2"><span class="779001314-14112006"></span></font> </div>
<div><font face="Arial" size="2"><span class="779001314-14112006">jpt</span></font></div></div>
_______________________________________________<br>Reach hundreds of potential candidates - http://jobs.vtiger.com <br></blockquote></body></html>