0004603: ' char not escaped in query - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0004603	SOGo	Backend General	public	2018-11-22 08:14	2022-04-27 18:10

Reporter	nenonano	Assigned To	francis
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	[Server] Linux	OS	RHEL/CentOS	OS Version	6
Product Version	4.0.4

Summary	0004603: ' char not escaped in query
Description	I see this error in my logs: cannot execute quick-fetch SQL 'SELECT c_name, c_cn, c_givenname, c_sn, c_screenname, c_o, c_mail, c_telephonenumber, c_categories, c_component, c_hascertificate FROM sogoadmin0016d7c580b_quick WHERE ((UPPER(c_sn) LIKE UPPER('%d'adamo%')) OR (UPPER(c_givenname) LIKE UPPER('%d'adamo%')) OR (UPPER(c_cn) LIKE UPPER('%d'adamo%')) OR (UPPER(c_mail) LIKE UPPER('%d'adamo%')) OR (UPPER(c_categories) LIKE UPPER('%d'adamo%')) OR (UPPER(c_o) LIKE UPPER('%d'adamo%')))': <MySQL4Exception: 0x55dbc0d69818> NAME:ExecutionFailed REASON:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%')) OR (UPPER(c_givenname) LIKE UPPER('%d'adamo%')) OR (UPPER(c_cn) LIKE UPPER(' at line 1 as you can see, the ' in the "d'adamo' string is not escaped. such a char is quite popular in italian surnames
Tags	No tags attached.

Date Modified	Username	Field	Change
2018-11-22 08:14	nenonano	New Issue
2022-04-27 18:10	francis	Assigned To	=> francis
2022-04-27 18:10	francis	Status	new => resolved
2022-04-27 18:10	francis	Resolution	open => fixed
2022-04-27 18:10	francis	Note Added: 0016010

francis 2022-04-27 18:10 administrator ~0016010	Fixed a while ago.