>PETER PAULY wrote:
>
>> I'm using the "C" interface to write CGI code for a web application. I
allow
>> the user to type data into a particular field, and am storing that data
into a
>> field in a postgres database.
>>
>> The problem is, I have to filter the data that the user entered to remove
any
>> single quotes and other odd characters so that my SQL command doesn't get
>> messed up. I'm building the command with printf and passing the
filtered
>> data from the user as so:
>>
>> update tablename set comment = '%s' where .....
>>
>> And %s is substituted in the printf with the user data. If the user typed
in a
>> single quote, it would cause havoc with the sql statement. My question
is, is
>
>you should substitute single quote with two single quotes
You can also (keeping with 'C' tradition) substitute \' for the single
quote.