Gmail import needs to escape full names before db insert
Bug #701570 reported by
Christopher Adams
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PPL |
Fix Released
|
Critical
|
Bassel Safadi |
Bug Description
Full names need to be escaped before insertion into the database, particularly in the eventuality that they contain single quotes, e.g. Tim O'Reilly.
Changed in ppl: | |
importance: | Undecided → Critical |
milestone: | none → 0.2 |
status: | New → Triaged |
Changed in ppl: | |
assignee: | nobody → Bassel Safadi (bassel) |
Changed in ppl: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
For Flickr and Twitter contact import, the correct values are achieved by running any usernames that might contain odd characters through mysql_real_ escape_ string( ) before insertion into the database.
In the case of GMail import, the usernames are grabbed from Google Contacts by the javascript in widget 38 (gmail_head), which posts them as data to import_gmail.php.
In import_gmail.php, I found it necessary to run the names through stripslashes. Otherwise, the names will show up in the database as Tim O\'Reilly, etc.
An additional step might be to run the variables in the javascript through encodeURICompon ent() before posting to import_gmail.php, and then using urldecode on the php side, but in practice I haven't seen that this makes a difference or fixes any potential bugs. Bassel, can you address this?
Interestingly, pace the Flickr and Twitter import which *need* mysql_real_ escape_ string( ), using mysql_real_ escape_ string( ) has the effect of *adding* unwanted escape slashes into the database fields.
Anyone want to add some insight into this?