Database error when submitting form to request API key

[jpmckinney]

A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 're building a single point of entry to a variety of public APIs containing data ' at line 1

insert into api_users(`au_email`, `au_organization`, `au_url`, `au_name`, `au_description`)values('[OMITTED]@gmail.com', '', 'http://influencemapping.org/', 'James McKinney', 'We're building a single point of entry to a variety of public APIs containing data on people, organizations, and influence.')

Filename: /home/openinstitute/OpenDuka/Alpha/models/api_m.php

Line Number: 50

[jpmckinney]

Looks like possible SQL injection issue.

[jpmckinney]

Confirmed SQL injection issue. The error appeared because I had a single quotation mark in my answer to "Description of your application".

[maxvonhippel]

@jpmckinney as OP can you close the issue? Unless I misunderstand it sounds like this is a feature not a bug.

[jpmckinney]

@maxvonhippel It's quite natural for people completing the form to use English contractions (we're, I'm, etc.) in the description. The code should escape quotes - it shouldn't pass them unescaped to the SQL query string!

[maxvonhippel]

Ah, gotcha! Sorry it was late, that should have been obvious. Understood.