Thread: illegal characters

illegal characters

From
Oleg Lebedev
Date:
Hello,
I am using postgresql to store data passed from a web page. A user may
enter whatever text she wants on that web page. Do I have to prepend all
the illegal characters in the text with backslashes before storing the
text in the database? Is there any way to make postgresql prepend these
illegal characters for me?
Example:
I have an entry 'foo/bar' in a database table (it was stored as
'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
contain entry 'foo/bar', I get no results.
Any help will be greatly appreciated.
Thanks


Re: illegal characters

From
"Brett W. McCoy"
Date:
On Fri, 9 Feb 2001, Oleg Lebedev wrote:

> I am using postgresql to store data passed from a web page. A user may
> enter whatever text she wants on that web page. Do I have to prepend all
> the illegal characters in the text with backslashes before storing the
> text in the database? Is there any way to make postgresql prepend these
> illegal characters for me?
> Example:
> I have an entry 'foo/bar' in a database table (it was stored as
> 'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
> contain entry 'foo/bar', I get no results.
> Any help will be greatly appreciated.

What programming interface are you using for the form?  Most usually
provide some sort of escaping mechanism before you insert data into the
database.  Otherwise, you can write your own validation functions (which
you should do any way, to make sure users aren't doing bad things) to
escape funncy characters (single quotes, slashes, etc.).

-- Brett
                                     http://www.chapelperilous.net/~bmccoy/
---------------------------------------------------------------------------
This is National Non-Dairy Creamer Week.


Re: illegal characters

From
Gilles DAROLD
Date:
Hi,

I don't know what programming language you are using but there's
surely a function named quote which will do that for you.

With perl DBI you can use it like this :

quote :
    Quote a string literal for use as a literal value in an SQL statement
by
    escaping any special characters (such as quotation marks) contained
    within the string and adding the required type of outer quotation
marks.

    $sql = $dbh->quote($string);

Regards

Gilles DAROLD

Oleg Lebedev wrote:

> Hello,
> I am using postgresql to store data passed from a web page. A user may
> enter whatever text she wants on that web page. Do I have to prepend all
> the illegal characters in the text with backslashes before storing the
> text in the database? Is there any way to make postgresql prepend these
> illegal characters for me?
> Example:
> I have an entry 'foo/bar' in a database table (it was stored as
> 'foo/bar' NOT as 'foo\/bar', when I try to search for all rows that
> contain entry 'foo/bar', I get no results.
> Any help will be greatly appreciated.
> Thanks