Bug 310467

Summary: Instructions are not escaped.
Product: [Unmaintained] krecipes Reporter: Thomas Pircher <tehpeh-kde>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: RESOLVED FIXED    
Severity: major CC: jpwhiting, tehpeh-kde
Priority: NOR    
Version First Reported In: 2.0-beta2   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Thomas Pircher 2012-11-21 22:36:59 UTC 
I'm using postgresql as database backend.

When a recipe instructions contain a single quote character (as e.g. in brewer's yeast) and I hit the "save recipe" button, then the database is not updated. (And Krecipes does not warn me about it.)

I suspect the free text is passed to the DB without being escaped. I have not tried to enter SQL statements after a quote to test my hypotesis. Also, I have not tries id any other input text field is escaped or not.

Other than that, I like the program, good work!

Reproducible: Always

Steps to Reproduce:
1. Edit a recipe.
2. Add a single quote in the middle of the instructions and some edit (for the verification).
3. Hit "save recipe"
4. Press "Show recipe" to view the recipe again. The previous edit is lost.
Actual Results:  
The instructions field in the recipes table is not updated.

Expected Results:  
The instructions field in the recipes table should be updated with the changes (single quotes should be allowed in the free text)
Comment 1 Jeremy Whiting 2015-02-21 13:14:03 UTC 
All user editable fields now encode and escape the contents before saving to the database (of any database kind, not just postgresql). This works here, closing.