Hi,
I am new to the DreamFactory, and am testing the SQL API, I found that the system gives me an error whenever the contents of a field contain quotation marks. The error returned is:
The Response content must be a string or object implementing __toString()
Which to me means that when generating the response, the value of the field is just getting copied or evaluated without any sanity checking in order to convert quotes to some token that can be easily taken into account when displaying the response and or generating the JSON object. In my current application, I do take care of binding the field to the contents of a string that may contain quotes in order to allow this character. This is not getting done here, and therefore the result in my case is a 500 error, since the server cannot deal with the quotation marks from the field inside the response generation.
This issue is akin to being vulnerable to SQL injection. With the right value in a text field in the database, "bad things" can happen. Maybe this can be solved my using the addslashes() function??
I have tried to figure out where this is getting done, but have had no luck. Unless this is fixed, or a filter can be placed in order to "escape" these quotation marks inside the text fields, This is useless... 