Обсуждение: Stripping apostrophes from data

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Edson wrote:
> Is there some program or procedure for stripping apostrophes (') from data in the db?  Most of our data has been
shuffledover to Postgres from an older system, and I'm occasionally running into data entered in the old system that
hasapostrophes in it.  (Most recent example: A name field with the word "Today's" in it.)  Given that most of my
interactionswith the database are through perl scripts and php pages, I can't always tell ahead of time what field I
needis going to contain data that's deadly to my statements. 
>
>   Alternately, is there some way of inserting or selecting data from the db which doesn't require the use of
apostrophesfor non-numeric fields? 

Uhmm just prepare all your statements and this shouldn't be an issue.

Joshua D. Drake

>
>
> ---------------------------------
> Luggage? GPS? Comic books?
> Check out fitting  gifts for grads at Yahoo! Search.


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
            UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGycGdATb/zqfZUUQRAkZpAJ0dbBVc8Y/Sk5mIwMICin1UyL3eWwCfTlLJ
uAHznl5Cf0geQYLvOcUs+ks=
=t9rL
-----END PGP SIGNATURE-----

On Mon, Aug 20, 2007 at 09:19:14AM -0700, Andrew Edson wrote:
> Is there some program or procedure for stripping apostrophes (') from
> data in the db?  Most of our data has been shuffled over to Postgres
> from an older system, and I'm occasionally running into data entered
> in the old system that has apostrophes in it.  (Most recent example:
> A name field with the word "Today's" in it.) Given that most of my
> interactions with the database are through perl scripts and php
> pages, I can't always tell ahead of time what field I need is going
> to contain data that's deadly to my statements.
>
>   Alternately, is there some way of inserting or selecting data from
>   the db which doesn't require the use of apostrophes for non-numeric
>   fields?

Umm, why are apostrophes causing a problem? Normally you just escape
them or, if you don't want to worry about them at all, use queries with
placeholders.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Andrew Edson wrote:
> Is there some program or procedure for stripping apostrophes (') from
> data in the db?  Most of our data has been shuffled over to Postgres
> from an older system, and I'm occasionally running into data entered
> in the old system that has apostrophes in it.  (Most recent example: A
> name field with the word "Today's" in it.)  Given that most of my
> interactions with the database are through perl scripts and php pages,
> I can't always tell ahead of time what field I need is going to
> contain data that's deadly to my statements.
>
> Alternately, is there some way of inserting or selecting data from the
> db which doesn't require the use of apostrophes for non-numeric fields?
>
> ------------------------------------------------------------------------
> Luggage? GPS? Comic books?
> Check out fitting gifts for grads
> <http://us.rd.yahoo.com/evt=48249/*http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz>
> at Yahoo! Search.
In php you can use |pg_escape_string function:

http://us3.php.net/manual/en/function.pg-escape-string.php|

On Aug 20, 2007, at 11:19 , Andrew Edson wrote:

> Is there some program or procedure for stripping apostrophes (')
> from data in the db?  Most of our data has been shuffled over to
> Postgres from an older system, and I'm occasionally running into
> data entered in the old system that has apostrophes in it.  (Most
> recent example: A name field with the word "Today's" in it.)

Do you want to remove the double quotes around the word or the
apostrophe between y and s? Regardless, you might want to look at the
regexp_replace or translate functions:

http://www.postgresql.org/docs/8.2/interactive/functions-string.html

>   Given that most of my interactions with the database are through
> perl scripts and php pages, I can't always tell ahead of time what
> field I need is going to contain data that's deadly to my statements.

Sounds like a problem with how you're handling your data in your
middleware, as this shouldn't be a problem regardless of the
characters in the string if you're handling things correctly. If you
post an example perhaps people can offer suggestions on how you can
handle things more safely. Are you interpolating variables directly
into SQL statements? If so, don't do that: use bind variables instead.

>  Alternately, is there some way of inserting or selecting data from
> the db which doesn't require the use of apostrophes for non-numeric
> fields?

You could use dollar quotes, but it sounds like your problem might be
able to be solved using bind variables.

Michael Glaesemann
grzm seespotcode net

On Aug 20, 2007, at 11:19 , Andrew Edson wrote:

> Is there some program or procedure for stripping apostrophes (')
> from data in the db? Most of our data has been shuffled over to
> Postgres from an older system, and I'm occasionally running into
> data entered in the old system that has apostrophes in it. (Most
> recent example: A name field with the word "Today's" in it.)

Do you want to remove the double quotes around the word or the
apostrophe between y and s? Regardless, you might want to look at the
regexp_replace or translate functions:

http://www.postgresql.org/docs/8.2/interactive/functions-string.html

> Given that most of my interactions with the database are through
> perl scripts and php pages, I can't always tell ahead of time what
> field I need is going to contain data that's deadly to my statements.

Sounds like a problem with how you're handling your data in your
middleware, as this shouldn't be a problem regardless of the
characters in the string if you're handling things correctly. If you
post an example perhaps people can offer suggestions on how you can
handle things more safely. Are you interpolating variables directly
into SQL statements? If so, don't do that: use bind variables instead.

> Alternately, is there some way of inserting or selecting data from
> the db which doesn't require the use of apostrophes for non-numeric
> fields?

You could use dollar quotes, but it sounds like your problem might be
able to be solved using bind variables.

Michael Glaesemann
grzm seespotcode net

[Please don't top post as it makes the discussion more difficult to
follow.]

On Aug 20, 2007, at 13:21 , Andrew Edson wrote:

> The dollar quoting appears to have fixed it; thank you.  I
> apologize for my folly in sending out the original message.

I think this might be giving you a false sense of security. It looks
like I wasn't the only one to think you're probably doing something
unsafe. If you're interested in improving your code to make sure this
can never be a problem, look into bind variables (and prepared
statements). If you're directly interpolating variables into a query
string, you're just asking for trouble, regardless of what quoting
method you're using.

Michael Glaesemann
grzm seespotcode net