When creating new categories in the backend, one can create a category with quotes; tested with double quotes but not single, but one can not delete or disable the category. There is an error in the mysql query in categories that truncates the category at the double quotes. I created the category, Testing "test" and it was created without an error. On trying to delete the category, I get the following:
DELETE FROM `sys_categories` WHERE `Category` = 'Testing ' AND `ID` = AND `Type` = ''
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND `Type` = ''' at line 2
// check actions
if(bx_get('pathes') !== false) {
$aPathes = bx_get('pathes');
if(is_array($aPathes) && !empty($aPathes))
foreach($_POST['pathes'] as $sValue) {
list($sCategory, $sId, $sType) = split('%%', process_db_input($sValue, BX_TAGS_STRIP));
if (bx_get('action_disable') !== false)
$oDb->query("UPDATE `sys_categories` SET `Status` = 'passive' WHERE
`Category` = '$sCategory' AND `ID` = $sId AND `Type` = '$sType'");
else if(bx_get('action_delete') !== false)
$oDb->query("DELETE FROM `sys_categories` WHERE
`Category` = '$sCategory' AND `ID` = $sId AND `Type` = '$sType'");
}
}
As can be seen, the query becomes ill formed: WHERE `Category` = 'Testing ' AND `ID` = AND
What is the solution here; besides don't create categories with quotes; if that is the solution then the code should not allow categories to be created with quotes. Creating the category though, is not the issue as that works. The issue is that one can not delete or disable the category once it has been created.
