Bug 318471 – Debian Bug #227251: planner: Single quotes not escaped writing to database

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 318471 - Debian Bug #227251: planner: Single quotes not escaped writing to database


Summary:	Debian Bug #227251: planner: Single quotes not escaped writing to database


Status:	RESOLVED DUPLICATE of bug 168147

Product:	planner
Classification:	Other
Component:	General
Version:	0.11
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	planner-maint
QA Contact:	planner-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2005-10-10 14:38 UTC by Martin-Éric Racine
Modified:	2005-10-13 20:09 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Martin-Éric Racine 2005-10-10 14:38:59 UTC

Please describe the problem:
When planner writes the tasks to the database, a task name with a ' in
it will not be written.  The SQL string that planner is building to
INSERT the data is not properly escaping strings contining ' or \.

Of course in this case it is not a security issue (i.e. SQL injection)
because anyone using planner to write to that database could use psql
and inject whatever directly.

Steps to reproduce:


Actual results:


Expected results:


Does this happen every time?


Other information:
This is an old bug report remaining in the Debian BTS. 

It probably was fixed already but I'm hereby polling the upstream authors to
verify. If it's fixed, I will close the corresponding bugs in the Debian BTS.

Comment 1 Richard Hult 2005-10-13 20:09:25 UTC


*** This bug has been marked as a duplicate of 168147 ***