PETER PAULY wrote:
> I'm using the "C" interface to write CGI code for a web application. I allow
> the user to type data into a particular field, and am storing that data into a
> field in a postgres database.
>
> The problem is, I have to filter the data that the user entered to remove any
> single quotes and other odd characters so that my SQL command doesn't get
> messed up. I'm building the command with printf and passing the filtered
> data from the user as so:
>
> update tablename set comment = '%s' where .....
>
> And %s is substituted in the printf with the user data. If the user typed in a
> single quote, it would cause havoc with the sql statement. My question is, is
you should substitute single quote with two single quotes
> there a better way to pass data to these commands, than to build a command
> string like you see above? My preference would be to pass a pointer to the
> data, or something like that. (same issue with insert).
>
> ____________________________________________________________________
> Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
--
___________________________________________________________________________
S.Ramaswamy
Matrix Infotech Syndicate
D-7, Poorti, Vikaspuri, New Delhi, 110018, India
PHONE: +91-11-5610050, FAX: +91-11-5535103
WEB : http://MatrixInfotech.HyperMart.Net
