Quotes aren't escaped during inline editing SQL update.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Have a database where a character like " is stored.
2. Attempt to run a save using Grid save method.
3. *Bonk Error*

What is the expected output? What do you see instead?
Expected output would be a successful save.
Actual output is an error where the getSaveArray returns an invalid loop; 
likely because the " throwing something out of whack.

What version of the product are you using? On what operating system?
1.3, Mac Pro Server PHP 5.2, Safari/FF Client on Macbook Pro OSX (Snow Leopard)

Please provide any additional information below.

This led me to check out how you were doing your queries in mySQL, and it seems 
like the sql queries are open to SQL injection.  I was thinking that maybe you 
should (where you can) use parameterized queries for doing your update/insert 
queries - possibly shifting some of the basic DB functionality to using the PDO 
library and/or some form of active directory pattern.

Original issue reported on code.google.com by vep....@gmail.com on 11 Mar 2011 at 1:17

[GoogleCodeExporter]

As per our discussion, discovered that the home-grown JSON interpreter is not 
escaping double-quotes properly.  Depending on your POV, you might want to 
consider utilizing the standard json2.js file from json.org w/standard parse() 
and stringify() methods.  People using JSON in their JS will tend to borrow 
from that library anyway to maximize browser coverage.

Original comment by vep....@gmail.com on 15 Mar 2011 at 4:26

[GoogleCodeExporter]

Just curious since there don't seem to be any "patch" notes on 1.4; were you 
able to correct this issue?

Original comment by vep....@gmail.com on 21 Mar 2011 at 7:51

[GoogleCodeExporter]

this has been fixed in 1.5

Original comment by Seancla...@gmail.com on 26 Mar 2011 at 9:16

• Changed state: Fixed