If you make a block and don't override the save method, textfield input is not escaped before being used in the database query to insert/update the record! Just add any basic block -- html, image, youtube, whatever -- and put an apostrophe in the title field (or the main content area for the html block), submit the form -- if you have php errors being displayed it will show that the SQL query failed.
I know this is in the admin section so hopefully the site owners and maintainers aren't trying to run SQL injection attacks on their own sites, but escaping all input before using it in a query should always be performed regardless.
Describe
Feb 01, 2010 at 12:09 PM
Can you describe the version, environment, and steps taken to reproduce this? I've never seen this before and I'm sure it wouldve come up before now. For example I just tried adding an HTML block with an apostrophe in it to a page and there was no issue/error/escaping, nothing.
x1 Beginning or ending with apostrophe
Feb 02, 2010 at 11:23 AM
Interesting -- I guess I jumped the gun a little bit. It's actually only if an apostrophe is in the beginning or the end of the text, not if it's in the middle. Weird.
Yeah
Feb 02, 2010 at 12:01 PM
This must be something to do with ADODB or our implementation of it. I'll check it out. Thanks.
jordanlev
Minor clarification: title should be "textfields aren't escaped"