310467 – Instructions are not escaped.

Bug 310467 - Instructions are not escaped.

Summary: Instructions are not escaped.

Status:	RESOLVED FIXED

Alias:	None

Product:	krecipes
Classification:	Applications
Component:	general (show other bugs)
Version:	2.0-beta2
Platform:	Debian testing Linux

Importance:	NOR major
Target Milestone:	---
Assignee:	Unassigned bugs mailing-list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-21 22:36 UTC by Thomas Pircher
Modified:	2015-02-21 13:14 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Pircher 2012-11-21 22:36:59 UTC

I'm using postgresql as database backend.

When a recipe instructions contain a single quote character (as e.g. in brewer's yeast) and I hit the "save recipe" button, then the database is not updated. (And Krecipes does not warn me about it.)

I suspect the free text is passed to the DB without being escaped. I have not tried to enter SQL statements after a quote to test my hypotesis. Also, I have not tries id any other input text field is escaped or not.

Other than that, I like the program, good work!

Reproducible: Always

Steps to Reproduce:
1. Edit a recipe.
2. Add a single quote in the middle of the instructions and some edit (for the verification).
3. Hit "save recipe"
4. Press "Show recipe" to view the recipe again. The previous edit is lost.
Actual Results:  
The instructions field in the recipes table is not updated.

Expected Results:  
The instructions field in the recipes table should be updated with the changes (single quotes should be allowed in the free text)

Comment 1 Jeremy Whiting 2015-02-21 13:14:03 UTC

All user editable fields now encode and escape the contents before saving to the database (of any database kind, not just postgresql). This works here, closing.