Thread: ...
Hi! I have an annoying problem, that I just haven't been able to get around yet. When I parse the input from a form and go to insert it eveything works fine as long as the user doesn't use the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16. The insert statement is below. my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status, ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id', '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact', '$assigned', '$time_now')}; Thanks in advance. Ken Wills GFC Call Center Email: gfchelp@gflesch.com Phone: 1-888-4325556 Fax: 1-608-2222432
Ken Wills wrote: > Hi! > > I have an annoying problem, that I just haven't been able to get around yet. When I parse the > input from a form and go to insert it eveything works fine as long as the user doesn't use > the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate > or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16. > The insert statement is below. > > my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status, > ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id', > '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact', > '$assigned', '$time_now')}; > I have the same problem with DB2. I encode the ' character as &39 or 0x39. Then on output I reparse the field and display the results. (I also encode the & character or whatever I use to delimit the character.) -- Bill Cunningham Database Development Project Lead Bally Systems
Hi Ken, Bill and all Na! First, as a web interface you should be using PHP 3.x, you are right? OK, that said, do this: $chktext = ereg_replace("'", "''", $chktext); That will take every ' in the data, and replace it with '' (2 ') which is how you escape a ' in PostgreSQL (and all SQL?). Hope that helps, have a great day Terry On Mon, 30 Nov 1998, Bill Cunningham wrote: > Ken Wills wrote: > > > Hi! > > > > I have an annoying problem, that I just haven't been able to get around yet. When I parse the > > input from a form and go to insert it eveything works fine as long as the user doesn't use > > the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate > > or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16. > > The insert statement is below. > > > > my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status, > > ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id', > > '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact', > > '$assigned', '$time_now')}; > > > > I have the same problem with DB2. I encode the ' character as &39 or 0x39. Then on output I reparse the > field and display the results. (I also encode the & character or whatever I use to delimit the > character.) > > > -- > Bill Cunningham > Database Development Project Lead > Bally Systems > > > > Terry Mackintosh <terry@terrym.com> http://www.terrym.com sysadmin/owner Please! No MIME encoded or HTML mail, unless needed. Proudly powered by R H Linux 4.2, Apache 1.3, PHP 3, PostgreSQL 6.4 ------------------------------------------------------------------- Success Is A Choice ... book by Rick Patino, get it, read it!
On Mon, 30 Nov 1998, Terry Mackintosh wrote: > Hi Ken, Bill and all > > Na! > First, as a web interface you should be using PHP 3.x, you are right? Actually, my personal preference is perl for web interfaces *shrug* Marc G. Fournier Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
On Mon, 30 Nov 1998, Terry Mackintosh wrote: >Hi Ken, Bill and all > >Na! >First, as a web interface you should be using PHP 3.x, you are right? > >OK, that said, do this: >$chktext = ereg_replace("'", "''", $chktext); Can't you just enable magic quotes in the php3 conf file to have this accomplished automatically? Or call: $chktext = addslashes($chktext); >That will take every ' in the data, and replace it with '' (2 ') which is >how you escape a ' in PostgreSQL (and all SQL?). > >Hope that helps, have a great day >Terry > >On Mon, 30 Nov 1998, Bill Cunningham wrote: > >> Ken Wills wrote: >> >> > Hi! >> > >> > I have an annoying problem, that I just haven't been able to get around yet. When I parse the >> > input from a form and go to insert it eveything works fine as long as the user doesn't use >> > the ' character in the input. I've tried using qw{} and qq{}, which either don't interpolate >> > or give me errors. Anyone have any suggestions? Postgres 6.4, Apache 1.3, mod_perl 1.16. >> > The insert statement is below. >> > >> > my $query_string=qq{INSERT INTO CALLS (ca_service_id, ca_org_name, ca_phone_number, ca_status, >> > ca_product, ca_problem, ca_resolution, ca_contact_name, ca_assigned, ca_date) VALUES ('$service_id', >> > '$org_name', '$phone_number', '$status', '$product', '$problem', '$resolution', '$contact', >> > '$assigned', '$time_now')}; >> > >> >> I have the same problem with DB2. I encode the ' character as &39 or 0x39. Then on output I reparse the >> field and display the results. (I also encode the & character or whatever I use to delimit the >> character.) >> >> >> -- >> Bill Cunningham >> Database Development Project Lead >> Bally Systems >> >> >> >> > >Terry Mackintosh <terry@terrym.com> http://www.terrym.com >sysadmin/owner Please! No MIME encoded or HTML mail, unless needed. > >Proudly powered by R H Linux 4.2, Apache 1.3, PHP 3, PostgreSQL 6.4 >------------------------------------------------------------------- >Success Is A Choice ... book by Rick Patino, get it, read it! -- Sincerely, Jason Boxman uselinux@email.com benefits@cybertechs.com "We have lived not in proportion to the number of years we have spent on the earth, but in proportion as we have enjoyed." -Henry David Thoreau