| From: | "S(dot)Ramaswamy" <srswamy(at)giasdl01(dot)vsnl(dot)net(dot)in> |
|---|---|
| To: | PETER PAULY <ppauly(at)usa(dot)net> |
| Cc: | pgsql-sql(at)postgreSQL(dot)org |
| Subject: | Re: [SQL] Odd characters in inserted data... |
| Date: | 1998-12-01 09:16:36 |
| Message-ID: | 3663B3F4.5360F306@del1.vsnl.net.in |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
PETER PAULY wrote:
> I'm using the "C" interface to write CGI code for a web application. I allow
> the user to type data into a particular field, and am storing that data into a
> field in a postgres database.
>
> The problem is, I have to filter the data that the user entered to remove any
> single quotes and other odd characters so that my SQL command doesn't get
> messed up. I'm building the command with printf and passing the filtered
> data from the user as so:
>
> update tablename set comment = '%s' where .....
>
> And %s is substituted in the printf with the user data. If the user typed in a
> single quote, it would cause havoc with the sql statement. My question is, is
you should substitute single quote with two single quotes
> there a better way to pass data to these commands, than to build a command
> string like you see above? My preference would be to pass a pointer to the
> data, or something like that. (same issue with insert).
>
> ____________________________________________________________________
> Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
--
___________________________________________________________________________
S.Ramaswamy
Matrix Infotech Syndicate
D-7, Poorti, Vikaspuri, New Delhi, 110018, India
PHONE: +91-11-5610050, FAX: +91-11-5535103
WEB : http://MatrixInfotech.HyperMart.Net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Williams | 1998-12-01 13:31:03 | Addition of index for digest needed |
| Previous Message | Vadim Mikheev | 1998-12-01 04:26:18 | Re: [HACKERS] Re: [SQL] cursor and update + view |