' in the entry causes and error

[mfyorp]

I'm entering something like "Joe's favourite sauce".

The apostrophe (') in the entry field causes the following error

The response did not make sense: <br /><b>Warning</b>: SQLite3::query(): Unable to prepare statement: 1, near &quot;s&quot;: syntax error in /var/www/.../ShoppingList_Backend/sqlite_connector.php on line 47. Fatal error: Call to a member function fetchArray() on boolean in /var/www/

[jklmnn]

I feared the day when someone comes and creates an SQL injection. I'm apparently not the best database guy. Do @J-8 or @beli3ver have any ideas?

[ghost]

Normaly with PDO sql injection is not a problem Here we can use http://php.net/manual/de/function.htmlspecialchars.php

[jklmnn]

So this would be fixed in the next version by pdo? Should we fix this in master?

[ghost]

Yes we should that is a big secruity issue and that must be fixed

[J-8]

I dont know about PDO, but the prepared statements sanitize the input before the query so injection is not a problem in master. I did not have the time to read into PDO, so no idea how it is handled there...?

[the0ne]

i just confirmed that this is not an issue when using mysql

[the0ne]

i managed to get sqlite running on my server by adding the following statement to the __construct routine of Database: $this->db->query('PRAGMA journal_mode=OFF;');

i confirmed that this issue does no longer appear when using sqlite