provided by Star2Billing S.L.

Hi,

We are using A2Billing v2.0.1

I guess this is an anti MySQL injection measure, but seems a little excessive - there are better ways to do this.

If I create a new card and set the company name to 'Selection Recruitment', when saving, the system removes the word 'Select' from the name, leaving 'ion Recruitment'. The same for the word 'Update'.

Is there anywhere that this behavior can be bypassed?

Thanks,
Mark

OK, I did the digging and see that /common/lib/Misc.php has the function sanitize_data which protects us from any of the following strings in just about any text field.

#injection sql
$input = str_ireplace('HAVING', '', $input);
$input = str_ireplace('UNION', '', $input);
$input = str_ireplace('SUBSTRING', '', $input);
$input = str_ireplace('ASCII', '', $input);
$input = str_ireplace('SHA1', '', $input);
$input = str_ireplace('MD5', '', $input);
$input = str_ireplace('SCRIPT', '', $input);
$input = str_ireplace('ROW_COUNT', '', $input);
$input = str_ireplace('SELECT', '', $input);
$input = str_ireplace('UPDATE', '', $input);
#$input = str_ireplace('DELETE', '', $input);

Actually, without mysql_real_escape_string() it could mean a lot of additional code to protect against SQL injection. I guess this approach is a good compromise.

Keep up the excellent work.

Mark