Michael A Chase wrote:
>
> On Tue, 22 Oct 2002 16:16:12 MDT Mike Schienle <[EMAIL PROTECTED]> wrote:
>
> > On Tue, 22 Oct 2002 16:22:04 -0400 [EMAIL PROTECTED] wrote:
> >
> > > insert into alerts (alrt, ncmp, suno, mess, prty, spst, dnst, crea, cdat)
> > > values ('$max_alert', '$company','$supplier', '$message',
> > > '$priority', '2',
> > > '2', '$userid', SYSDATE)
> > >
> > > This works fine unless there is a single quote in the message, which
> > > obviously is a big problem since I cannot restrict my users to not enter
> > > quotes into their text message. How can I avoid having this issue?
> >
> > # add this near the top of your code
> > use HTML::Entities;
> > # add this just before your insert command
> > encode_entities($message)
>
> This would require decoding after fetching and would make searching
> difficult. There are already quoting methods specific to DBI and Oracle.
> As Hardy suggested, placeholders would be even better.
Besides it wouldn't actually solve the problem - the ' character is
passed untouched by HTML::Entities.
Steve
--
Steve Piner
Web Applications Developer
Marketview Limited
http://www.marketview.co.nz
