Gossamer Forum
Home : Products : Gossamer Links : Version 1.x :

INSERT data -> Single Quotation Marks

Quote Reply
INSERT data -> Single Quotation Marks
Okay...I've noticed a bug for a long time in Perl with adding data with single quotation marks from text form fields into MySQL (and Links SQL is effected). You get a bad SQL statement error since the single quotation marks terminate the statement. This problem is evident in both referencing the add_record sub and writing raw SQL INSERT/UPDATE statements.

I've tried adding regexp for inputted parameters to remove the single quotes in the sub process_form routine in my add and edit scripts...yet the string is replaced with the number of single quotes rather than the complete value entered.

Any suggestions for fixing this bug? (also something that can be global applied to all scripts would be beneficial rather than configuring each parameter separately).

Thanks in advance.

Regards,

Eliot Lee Wink
http://anthrotech.com/
Quote Reply
Re: INSERT data -> Single Quotation Marks In reply to
Hi,

Have you tried using quote() ?



Mods:http://wiredon.net/gt/download.shtml
Installations:http://wiredon.net/gt/
Quote Reply
Re: INSERT data -> Single Quotation Marks In reply to
Really? In Links SQL 1.x, sub add_record, the values go through:

$insert_value .= $DBH->quote($rec_r->{$column}) . ",";

so any ' in the data will be escaped.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: INSERT data -> Single Quotation Marks In reply to
Thanks, Paul and Alex...I messed up the add_record and modify_record calls...all is working well now.

Thanks...

Regards,

Eliot Lee Wink
http://anthrotech.com/