In profiles >> About Me, I entered information and used single quotes ( 'xxx') on a word. The info would not save/display in the multiline box. I removed the single quotes and everything worked fine.

Markus, is this the same issue we had with the top area menu description display?

Hi John; I received a similar report from another webmaster working on his site. It's been a long day at work and meetings enough to call it a day by now. I will investigate this in the course of tomorrow, and will issue a fix while I'm at it. Hang in there. I haven't tested this feature exhaustively yet; will do.

So I haven't crossed this bridge yet, though I managed to bump into it. Still dragging away a cart full of customer bricks, and apparently I have also something else I need to tidy up with the form/profile builders (using the same engine). This will be fine-tuned momentarily.

In the meantime, you are welcome to use the HTML entity for apostrophe, which is ' (or ‘ for a curved single quote) and will display as a regular apostrophe ' when interpreted by the browser.

Please note however that regardless of this workaround, you should always report any issues you may face, and especially with apostrophes, as it's critical that they behave correctly in MySQL queries. In this case there is no issue of SQL injection (and the glitch is in the options processor), and I like to think they've been addressed across the board, but all the same it's better to be safe than sorry.

Oops — just to clarify, did you mean that you entered this in the member profile page under Members module or in the Admin CP profile builder itself? Because the other report I received was about the Admin end.

Mine was in the Members module - just writing a few words in the 'About Me' field - as a member would.

Alright --- as I have just tested that again, and it works fine for me? Is this in "Basic Settings" or "Profile Details", and what field in particular? Can you duplicate this behavior in our online demo?

I have also verified that all Profile Details data is routed through the generic build_update_query() function, which does centralized apostrophe escaping for all ingoing data in this case (centralized in 1.21).

If you are using other files from 1.21 but for some reason had the 1.20 class_mysql.php file in place, this would be a possible cause and you should reupload the 1.21 version immediately. (There is no vulnerability in 1.20 in this regard, only the point of filtering has been centralized, but different file versions would cause an issue here, which would explain the unsaved data.)

If you want to double check the queries that are being ran, do the &debug=on and see what the system says at the bottom when you attempt to save the data.

Must have been something I did at the time because it works fine now! Sorry about that.

I did, however, just notice something different which I hadn't spotted before:

In Settings >> View Profile - directly under the words 'Member Portal' there is a 'Last Active' field displaying (what I think is) a Unix timestamp (it says Last Active: 1268195728).

I suspect the reason why you didn't spot it before is related with this and is something you may have done as a matter of experiment when I typed in notes on how you could do it. Please check; as I can't see it anywhere. Sounds like you put in the member_last_active tag somewhere (possibly a few centimeters off the mark) and didn't stick in a preprocessor to turn it into a proper human-readable date

You could of course also learn to read Unix timestamps and divide 10 digits by 86400 in your head, and leave it as it is. If you wanted to go super geek, you could add in a base_convert() preprocessor and have them all in binary (or base two). Might confuse gramps a bit though.

Sounds like you put in the member_last_active tag somewhere (possibly a few centimeters off the mark)

Thanks Markus. That's exactly what it was - quite a few kilometers off the mark!

Yes it sounded like it was probably both in the wrong file and in the wrong place... So that's all clear then — great!