in reply to Quotes In CGI

 $ins = "INSERT INTO `items` (`category`, `itemid`, `description`, `lo
+ngdescription`, `size`, `o1n`, `o1o`, `o2n`, `o2o`, `o3n`, `o3o`, `c1
+n`, `c1v`, `c2n`, `c2v`, `c3n`, `c3v`, `price`, `small`, `large`)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
+?, ?)";

 $sth = $dbh->prepare("$ins") or die $dbh->errstr;
 $sth->execute(map(scalar param($_), qw(cat itemid des longdes size o1
+n o1o o2n o2o o3n o3o c1n c1v c2n c2v c3n c3v)),$price,$small,$large)
+ or die $dbh->errstr;

[download]

Replies are listed 'Best First'.
Re: Re: Quotes In CGI
by dws (Chancellor) on Oct 07, 2002 at 21:46 UTC
    You're letting un-Taint-checked data into your database, though it should be correctly quoted. I hope you trust your users.

    Your original problem statement is:

    Well Im having a problem if a user fills out one of my forms and puts somethi g in quotes, and when that gets printed from the database everything beyond the quptes is whiped out, they dont even show up in txt fields.
    Let's break this down. From what you've shown, quotes in a field should get correctly quoted on insert to the database. Have you verified that data is truncated once it's in the database? Assuming that the corrupted data is from the "description" field, what does   SELECT description FROM items WHERE itemid=? show, when you plug in the right itemid?

    If it's correct in the database, then you've narrowed the search, and we can then start examining the path data takes on the way back from the database. E.g., If you're putting data that contains quotes into HTML edit controls, you'll need to entity-escape the data.

    And please post your responses under the correct node. It makes the discussion easier to follow.

[reply]
[d/l]

In Section Seekers of Perl Wisdom