Clean user input from CGI for output to WIN32::ODBC

Max Harvey · Sep 14, 2003

Hi,

I have a simple script which takes input from CGI, and outputs it to a
database with WIN32::ODBC.

The problem is when I encounter input with a single quote in it, it
messes up the SQL statement for the Win32::ODBC module.

How can I clean/phrase the input ($comments), so that it can be used
as part of my SQL statement?

Any help would be great... the script basically does what it is
supposed to do, but it can be crashed by the user putting in the wrong
input, something which I know is bad, just aren't good enough with
Perl yet to fix

Max.

Matija Papec · Sep 14, 2003

X-Ftn-To: Max Harvey

The problem is when I encounter input with a single quote in it, it
messes up the SQL statement for the Win32::ODBC module.

How can I clean/phrase the input ($comments), so that it can be used
as part of my SQL statement?

Any help would be great... the script basically does what it is
supposed to do, but it can be crashed by the user putting in the wrong
input, something which I know is bad, just aren't good enough with
Perl yet to fix

perldoc DBI,
$sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)");

or you can manually backslash your values.

James Willmore · Sep 14, 2003

Look qt quote() in perldoc DBI

Actually, the OP needs to use WIN32:

BIODBC, then he can look up the
'quote' method. There is no 'quote' method in WIN32::ODBC, I think.
Or, simply switch to DBI.

Just an observation

--
Jim

Copyright notice: all code written by the author in this post is
released under the GPL. http://www.gnu.org/licenses/gpl.txt
for more information.

a fortune quote ...
Idaho state law makes it illegal for a man to give his sweetheart
a box of candy weighing less than fifty pounds.

Max Harvey · Sep 15, 2003

Thaks for everybodys help.

One of the early responces was to use my $sth = $dbh->prepare(sql);

This is actually DBI ot Win32::ODBC as far as I can tell.

Anyhow, the CGI script I was creating wasn't that large, so switching
from Win32::ODBC to DBI and DBD::ODBC wasn't to much work.

I have now done as advised/suggested, and I haven't managed to find
any combination of user input which will kill my script.

I have tried no input (underrun), lots and lots of input (overrunn),
weird not standard charests etc., and the script seems to hold its
own.

Also I guess now I am usng DBI, a change of backend won't be to
difficult if the script starts getting more work that it was expected
to.

Once again, thanks for all those who assisted.

Max.

Add the value taken from the user to my range for ActiveX ComboBox	0	Aug 27, 2022
How to write a program whose input various information of the companies	3	Aug 24, 2022
New to python looking for help	4	Sep 26, 2023
ANN: eGenix mxODBC Connect 2.1.0 - Python ODBC Database Interface	0	May 28, 2014
Catalog() in Win32::ODBC for MySQL	1	Aug 27, 2006
Error when connecting to database using Win32::ODBC	1	Jun 9, 2006
what thread-synch mech to use for clean exit from a thread	4	Jul 15, 2013
Simple console input / output framework for teaching beginners	37	May 26, 2014

Clean user input from CGI for output to WIN32::ODBC

Max Harvey

Matija Papec

James Willmore

Max Harvey

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads