Ask a Question related to PERL Miscellaneous, Design and Development.
-
Max Harvey #1
Clean user input from CGI for output to WIN32::ODBC
Hi,
I have a simple script which takes input from CGI, and outputs it to a
database with WIN32::ODBC.
The problem is when I encounter input with a single quote in it, it
messes up the SQL statement for the Win32::ODBC module.
How can I clean/phrase the input ($comments), so that it can be used
as part of my SQL statement?
Any help would be great... the script basically does what it is
supposed to do, but it can be crashed by the user putting in the wrong
input, something which I know is bad, just aren't good enough with
Perl yet to fix :(
Max.
Max Harvey Guest
-
Catalog() in Win32::ODBC for MySQL
I'm trying to pull the table information from MySQL using the Catalog() method and it gives me errors... Here's an example of my code:... -
Dave Roth's site (Win32::AdminMisc, Win32::ODBC, etc.) not available.
Does anyone know of an alternate method to contact Dave Roth (other then rothd@roth.net )? It appears that his entire domain is unavailable... -
win32::odbc
I am trying to fatch data from SQL database using perl win32::odbc modul. Looks like sql query does not fatch all of data. Is this possible? -
[ODBC] ODBC (win32) X PostgreSQL(Linux)
Hi Fabricio, fbbsantos wrote: I need to know enough that if I sat down at your computer I could find the problem. For example, what... -
Win32::ODBC problem
I'm getting lots of "Use of uninitialized value in array element at C:/Perl/lib/Win32/ODBC.pm line 256." It seems that each matching row in the... -
Matija Papec #2 Re: Clean user input from CGI for output to WIN32::ODBC
X-Ftn-To: Max Harvey
[email]google@DELTAL.org[/email] (Max Harvey) wrote:perldoc DBI,>The problem is when I encounter input with a single quote in it, it
>messes up the SQL statement for the Win32::ODBC module.
>
>How can I clean/phrase the input ($comments), so that it can be used
>as part of my SQL statement?
>
>Any help would be great... the script basically does what it is
>supposed to do, but it can be crashed by the user putting in the wrong
>input, something which I know is bad, just aren't good enough with
>Perl yet to fix :(
$sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)");
or you can manually backslash your values.
--
Matija
Matija Papec Guest
-
Ron Reidy #3 Re: Clean user input from CGI for output to WIN32::ODBC
Look qt quote() in perldoc DBI
Max Harvey wrote:> Hi,
>
> I have a simple script which takes input from CGI, and outputs it to a
> database with WIN32::ODBC.
>
> The problem is when I encounter input with a single quote in it, it
> messes up the SQL statement for the Win32::ODBC module.
>
> How can I clean/phrase the input ($comments), so that it can be used
> as part of my SQL statement?
>
>
> Any help would be great... the script basically does what it is
> supposed to do, but it can be crashed by the user putting in the wrong
> input, something which I know is bad, just aren't good enough with
> Perl yet to fix :(
>
>
>
> Max.
--
Ron Reidy
Oracle DBA
Ron Reidy Guest
-
James Willmore #4 Re: Clean user input from CGI for output to WIN32::ODBC
On Sun, 14 Sep 2003 08:45:11 -0600
Ron Reidy <r_reidy@comcast.net> wrote:^^^^^^^^^^^^> Look qt quote() in perldoc DBI
>
> Max Harvey wrote:> > Hi,
> >
> > I have a simple script which takes input from CGI, and outputs it
> > to a database with WIN32::ODBC.Actually, the OP needs to use WIN32::DBIODBC, then he can look up the> >
> > The problem is when I encounter input with a single quote in it,
> > it messes up the SQL statement for the Win32::ODBC module.
> >
> > How can I clean/phrase the input ($comments), so that it can be
> > used as part of my SQL statement?
> >
> >
> > Any help would be great... the script basically does what it is
> > supposed to do, but it can be crashed by the user putting in the
> > wrong input, something which I know is bad, just aren't good
> > enough with Perl yet to fix :(
'quote' method. There is no 'quote' method in WIN32::ODBC, I think.
Or, simply switch to DBI.
Just an observation :)
--
Jim
Copyright notice: all code written by the author in this post is
released under the GPL. [url]http://www.gnu.org/licenses/gpl.txt[/url]
for more information.
a fortune quote ...
Idaho state law makes it illegal for a man to give his sweetheart
a box of candy weighing less than fifty pounds.
James Willmore Guest
-
Max Harvey #5 Re: Clean user input from CGI for output to WIN32::ODBC
James Willmore <jwillmore@cyberia.com> wrote in message news:<20030914164204.768ea317.jwillmore@cyberia.co m>...
> On Sun, 14 Sep 2003 08:45:11 -0600
> Ron Reidy <r_reidy@comcast.net> wrote:> ^^^^^^^^^^^^> > Look qt quote() in perldoc DBI
> >
> > Max Harvey wrote:> > > I have a simple script which takes input from CGI, and outputs it
> > > to a database with WIN32::ODBC.> > >
> > > The problem is when I encounter input with a single quote in it,
> > > it messes up the SQL statement for the Win32::ODBC module.
> > >
> > > How can I clean/phrase the input ($comments), so that it can be
> > > used as part of my SQL statement?
Thaks for everybodys help.
One of the early responces was to use my $sth = $dbh->prepare(sql);
This is actually DBI ot Win32::ODBC as far as I can tell.
Anyhow, the CGI script I was creating wasn't that large, so switching
from Win32::ODBC to DBI and DBD::ODBC wasn't to much work.
I have now done as advised/suggested, and I haven't managed to find
any combination of user input which will kill my script.
I have tried no input (underrun), lots and lots of input (overrunn),
weird not standard charests etc., and the script seems to hold its
own.
Also I guess now I am usng DBI, a change of backend won't be to
difficult if the script starts getting more work that it was expected
to.
Once again, thanks for all those who assisted.
Max.
Max Harvey Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
