RE: Inserting DoubleQuotes using Placeholders

[Chris Faust]

Thanks Ronald, your right as that is what I doing as the first form page is
the user input for the description and then they can "preview" it in another
page before the post.

Thing is I'm using CGI and I thought that all escaping is handled with the
module..
Or so to say at the top of my script I simply populate all my form vals via:

my ($name, $value);
foreach $name ($CGI->param) {
$all_form_vals{$name}=1;
        foreach $value ($CGI->param($name)) {
        $all_form_vals{$name}=$value;
        }
}

Then when I'm previewing or inserting that text into the DB, I'm just using
"$all_form_vals{'description'}".

So I guess the next thing to try is escaping just the double quotes in the
description and see if that fixes the problem?

Thanks
-Chris


>> -----Original Message-----
>> From: Ronald J Kimball [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, December 17, 2002 9:28 AM
>> To: Chris Faust
>> Cc: DBI
>> Subject: Re: Inserting DoubleQuotes using Placeholders
>>
>>
>> On Tue, Dec 17, 2002 at 09:11:22AM -0500, Chris Faust wrote:
>> > Hello All,
>> >
>> > This may not be a DBI problem, but I've haven't been able to
>> turn up any
>> > good info so I'm giving the list a shot..
>> >
>> > The problem is with double quotes, in short I have a HTML form
>> text box to
>> > take a user inputted description which gets saved into a mySql
>> table into
>> > the following field.
>>
>> > The problem is if a user uses double quotes within that
>> description then
>> > everything from the first double quote until the end is wiped out
>> > (everything else is inserted or updated)..
>> >
>> > I am using placeholders and I thought that this was the exact
>> reason to use
>> > them (so there are no quoting issues), for example
>>
>> I would guess that you are passing the values through hidden fields in
>> another HTML page before inserting them into the database, and failing to
>> escape the values there.  The behavior you describe would not come from
>> using placeholders in DBI.
>>
>> You can escape the values for HTML with ampersands, e.g.:
>>
>> s/&/&amp/g;
>> s/"/"/g;
>> s/</&lt;/g;
>> s/>/&gt;/g;
>>
>> If you use the CGI module to produce the HTML, it will handle
>> this escaping
>> for you.
>>
>> Ronald