Обсуждение: Re: your mail

Redirected to -interfaces vs -admin


On Mon, 23 Nov 1998, Ken Wills wrote:

> Hi!
>
> I have an annoying problem, that I just haven't been able to get around yet. When I parse the
> input from a form and go to insert it eveything works fine as long as the user doesn't use
> the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate
> or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16.
> The insert statement is below.
>
>
> my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status,
> ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id',
> '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact',
> '$assigned', '$time_now')};

escape your imput strings first...something like:

$phone_number =~ s/'/\\'/g;

Marc G. Fournier
Systems Administrator @ hub.org
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org

Firstly, thanks to everone who replied so fast!!

> I have an annoying problem, that I just haven't been able to get around yet. When I parse the
> input from a form and go to insert it eveything works fine as long as the user doesn't use
> the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate
>> or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16.
>> The insert statement is below.

>escape your imput strings first...something like:

a number of people suggested something like:

>$phone_number =~ s/'/\\'/g;

Ok, I tried this - it does what it looks like is supposed to. If I enter:
John's shoes, I get John\'s shoes. Unfortunatly I still get an error. If i enter it
as John's shoes' ,I dont get an error. Seems like it only likes them in pairs. The funny thing is if
I supply them in pairs, it inserts the whole string, I'd have thought that it would parse them
or something, and only insert the values between the '.

Ken

I just ended up doing:

$phone_number =~ s/'/\\'\\'/g;
to substitute two ' for every '.

Thanks again to all for the suggestion.

>a number of people suggested something like:
>>$phone_number =~ s/'/\\'/g;
>Seems like it only likes them in pairs.

Ken

On Mon, 23 Nov 1998, Ken Wills wrote:

> Firstly, thanks to everone who replied so fast!!
>
> > I have an annoying problem, that I just haven't been able to get around yet. When I parse the
> > input from a form and go to insert it eveything works fine as long as the user doesn't use
> > the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate
> >> or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16.
> >> The insert statement is below.
>
> >escape your imput strings first...something like:
>
> a number of people suggested something like:
>
> >$phone_number =~ s/'/\\'/g;
>
> Ok, I tried this - it does what it looks like is supposed to. If I enter:
> John's shoes, I get John\'s shoes. Unfortunatly I still get an error. If i enter it
> as John's shoes' ,I dont get an error. Seems like it only likes them in pairs. The funny thing is if
> I supply them in pairs, it inserts the whole string, I'd have thought that it would parse them
> or something, and only insert the values between the '.

Have you tried doing:

    print STDERR ${inputstr}, "\n";

To see what your 'insert into...' string looks like exactly?  It looks
like you are missing a ' in there somewhere when you are generating yoru
string...

Marc G. Fournier
Systems Administrator @ hub.org
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org

>>
>> >$phone_number =~ s/'/\\'/g;
>>
>> Ok, I tried this - it does what it looks like is supposed to. If I enter:
>> John's shoes, I get John\'s shoes. Unfortunatly I still get an error. If i enter it
>> as John's shoes' ,I dont get an error. Seems like it only likes them in pairs. The funny thing is if
>> I supply them in pairs, it inserts the whole string, I'd have thought that it would parse them
>> or something, and only insert the values between the '.

>Have you tried doing:

>    print STDERR ${inputstr}, "\n";

>To see what your 'insert into...' string looks like exactly?  It looks
>like you are missing a ' in there somewhere when you are generating yoru
>string...

I tried this, and can see whats causing the error. From apache's error log:
--snip--
\'
\'
\'
none7
[Mon Nov 23 09:54:31 1998] [error] DBD::Pg::db do failed: ERROR:  Bad datetime external representation
'Mon Nov 23 09NULLNULL 1998'

--snip--
the time field is the last one to go in here. the insert string looks like:
my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status,
ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id',
'$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact',
'$assigned', '$time_now')};

It seems like I am getting an extra \' from somewhere. I'll take a look at that. Thanks again to all.

Ken

On Mon, 23 Nov 1998, Ken Wills wrote:

>
> >    print STDERR ${inputstr}, "\n";
>
> >To see what your 'insert into...' string looks like exactly?  It looks
> >like you are missing a ' in there somewhere when you are generating yoru
> >string...
>
> I tried this, and can see whats causing the error. From apache's error log:
> --snip--
> \'
> \'
> \'
> none7
> [Mon Nov 23 09:54:31 1998] [error] DBD::Pg::db do failed: ERROR:  Bad datetime external representation
> 'Mon Nov 23 09NULLNULL 1998'
>
> --snip--
> the time field is the last one to go in here. the insert string looks like:

> my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status,
> ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id',
> '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact',
> '$assigned', '$time_now')};

First, why not just put 'now' where '$time_now' is?
Second, what is the output in the Apache logs if you add:

print STDERR $query_string, "\n";

Right After the "my $query_string=" statement?  You should get something
tha tlooks like:

INSERT INTO CALLS...

Marc G. Fournier
Systems Administrator @ hub.org
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org