On Tue, 22 Oct 2002 16:16:12 MDT Mike Schienle <[EMAIL PROTECTED]> wrote:
> On Tue, 22 Oct 2002 16:22:04 -0400 [EMAIL PROTECTED] wrote:
>
> > insert into alerts (alrt, ncmp, suno, mess, prty, spst, dnst, crea, cdat)
> > values ('$max_alert', '$company','$supplier', '$message',
> > '$priority', '2',
> > '2', '$userid', SYSDATE)
> >
> > This works fine unless there is a single quote in the message, which
> > obviously is a big problem since I cannot restrict my users to not enter
> > quotes into their text message. How can I avoid having this issue?
>
> # add this near the top of your code
> use HTML::Entities;
> # add this just before your insert command
> encode_entities($message)
This would require decoding after fetching and would make searching
difficult. There are already quoting methods specific to DBI and Oracle.
As Hardy suggested, placeholders would be even better.
--
Mac :})
** I normally forward private questions to the appropriate mail list. **
Ask Smarter: http://www.tuxedo.org/~esr/faqs/smart-questions.html
Give a hobbit a fish and he eats fish for a day.
Give a hobbit a ring and he eats fish for an age.
