Not sure if this is the answer, but it might be - see below.
Chris Faust [[EMAIL PROTECTED]] wrote:
> Hello All,
>
> This may not be a DBI problem, but I've haven't been able to turn up any
> good info so I'm giving the list a shot..
>
> The problem is with double quotes, in short I have a HTML form text box to
> take a user inputted description which gets saved into a mySql table into
> the following field.
>
> | Field | Type | Null | Key | Default | Extra
> |
> +---------------------+--------------+------+-----+---------+---------------
> -+
> | ListingDescription | text | YES | | NULL |
> |
>
>
> The problem is if a user uses double quotes within that description then
> everything from the first double quote until the end is wiped out
> (everything else is inserted or updated)..
>
> I am using placeholders and I thought that this was the exact reason to use
> them (so there are no quoting issues), for example
>
> $sth = $db->prepare("Update table set ListingDescription = ?")
Instead of bounding your prepare with double quotes, try using
qq instead, like this:
$sth = $db->prepare(qq{
update table
set ListingDescription = ?
}) || die "Error with prepare: $DBI::errstr";
Since there aren't any variables being interpolated within the
sql, you could even substitute a "q" for the "qq".
And, aren't you missing a WHERE clause in that update?
HTH.
--
Hardy Merrill
Senior Software Engineer
Red Hat, Inc.
> $sth->execute($form_value{'description'}).
>
> Should I just do a search and replace on that val and escape any double
> quotes?
> ($val =~ s/"/\\"/g)
> Or is there something I'm missing?
>
> I guess I need to go back now and start testing things like single quotes
> and whatnot to see if there are other problem with any other chars..
>
> Thanks in advance for any info.
> -Chris
