How can I successfully encode and pass the '&' character from a
textbox to my database using setSrc, whilst preventing sql attacks?
I have a method that sends data from a textbox like so:
<method event = "onclick" >
thetext = LzBrowser.urlEscape(parent.editbox.getText());
thedata.setSrc("http://localhost:3000/names/update/"; + "id=" +
myid + "&" + name + "=" + thetext );
thedata.doRequest();
</method>
I am using a Ruby controller on the backend that creates a hash of
the parameters passed in the URL by splitting the URL at each '&'
sign and submitting them to the database:
values = params['id'].split('&').map {|s| s.split('=', 2)}
attributes = Hash[*values.flatten]
This works well until a user tries to submit text containing the "&"
character - it's encoded by urlEscape to %26, which appears to break
the Ruby controller - doRequest fails. I've also tried using
xmlEscape instead which encodes & to & with similar consequences.
Am I going about passing the text information the right way, or is
there a better one?
_______________________________________________
Laszlo-user mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-user
