Odd characters in inserted data...
| От | PETER PAULY |
|---|---|
| Тема | Odd characters in inserted data... |
| Дата | |
| Msg-id | 19981129222947.29657.qmail@www0n.netaddress.usa.net обсуждение исходный текст |
| Список | pgsql-sql |
I'm using the "C" interface to write CGI code for a web application. I allow the user to type data into a particular field, and am storing that data into a field in a postgres database. The problem is, I have to filter the data that the user entered to remove any single quotes and other odd characters so that my SQL command doesn't get messed up. I'm building the command with printf and passing the filtered data from the user as so: update tablename set comment = '%s' where ..... And %s is substituted in the printf with the user data. If the user typed in a single quote, it would cause havoc with the sql statement. My question is, is there a better way to pass data to these commands, than to build a command string like you see above? My preference would be to pass a pointer to the data, or something like that. (same issue with insert). ____________________________________________________________________ Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
В списке pgsql-sql по дате отправления: