Обсуждение: illegal characters

Поиск
Список
Период
Сортировка

illegal characters

От
Oleg Lebedev
Дата:
Hello,
I am using postgresql to store data passed from a web page. A user may
enter whatever text she wants on that web page. Do I have to prepend all
the illegal characters in the text with backslashes before storing the
text in the database? Is there any way to make postgresql prepend these
illegal characters for me?
Example:
I have an entry 'foo/bar' in a database table (it was stored as
'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
contain entry 'foo/bar', I get no results.
Any help will be greatly appreciated.
Thanks

Re: illegal characters

От
"Brett W. McCoy"
Дата:
On Fri, 9 Feb 2001, Oleg Lebedev wrote:

> I am using postgresql to store data passed from a web page. A user may
> enter whatever text she wants on that web page. Do I have to prepend all
> the illegal characters in the text with backslashes before storing the
> text in the database? Is there any way to make postgresql prepend these
> illegal characters for me?
> Example:
> I have an entry 'foo/bar' in a database table (it was stored as
> 'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
> contain entry 'foo/bar', I get no results.
> Any help will be greatly appreciated.

What programming interface are you using for the form?  Most usually
provide some sort of escaping mechanism before you insert data into the
database.  Otherwise, you can write your own validation functions (which
you should do any way, to make sure users aren't doing bad things) to
escape funncy characters (single quotes, slashes, etc.).

-- Brett
                                     http://www.chapelperilous.net/~bmccoy/
---------------------------------------------------------------------------
This is National Non-Dairy Creamer Week.

Re: illegal characters

От
Gilles DAROLD
Дата:
Hi,

I don't know what programming language you are using but there's
surely a function named quote which will do that for you.

With perl DBI you can use it like this :

quote :
    Quote a string literal for use as a literal value in an SQL statement
by
    escaping any special characters (such as quotation marks) contained
    within the string and adding the required type of outer quotation
marks.

    $sql = $dbh->quote($string);

Regards

Gilles DAROLD

Oleg Lebedev wrote:

> Hello,
> I am using postgresql to store data passed from a web page. A user may
> enter whatever text she wants on that web page. Do I have to prepend all
> the illegal characters in the text with backslashes before storing the
> text in the database? Is there any way to make postgresql prepend these
> illegal characters for me?
> Example:
> I have an entry 'foo/bar' in a database table (it was stored as
> 'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
> contain entry 'foo/bar', I get no results.
> Any help will be greatly appreciated.
> Thanks