Re: troublesome inputs - Mailing list pgsql-general

From Mark Cowlishaw
Subject Re: troublesome inputs
Date
Msg-id 026b01c09a0f$c933dc60$5250460a@meta2k
Whole thread Raw
In response to Re: troublesome inputs  (Lincoln Yeoh <lyeoh@pop.jaring.my>)
List pgsql-general
> At 02:49 PM 2/17/01 -0500, Michelle Murrain wrote:
> >in an unrecoverable error. What I need to do is two-fold - escape stuff
that
> >is easy (like single quotes), and do testing of types (make sure they are
> not
> >putting non-numerics in int fields, etc.)
> >

Input parameter testing in perl is quite straightforward using regex
matching.  I do this on my input parameters (assumes you are using CGI.pm):

my $bar = validate(trim($cgi->param('bar')), '^\d+$')
    or push(@error_list, "Missing or Invalid Bar");

where trim() removes leading/trailing whitespace: (s/^\s*/; s/\s*$/;)
and validate() performs a regex match and returns undef on no match.

Save all the errors in a list for processing later so you dont make the user
re-enter the form details 5 times before they get told about all their
errors.

For doing stuff like escaping strings for input into the database, I've
found that using the prepared statement mechanism very helpful since it does
this for you  -- there is probably some performance hit doing it this way
but I think using Perl to start with obviates most performance concerns ;-)

my $sth = $dbh->prepare("insert into foo (a,b,c) values (?,?,?)");
$sth->execute(1,2,"some random string with funny chars");




pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: How to use gethostbyname()
Next
From: newsreader@mediaone.net
Date:
Subject: I've followed the faq and still getting too many clients errr