Re: [SQL] Odd characters in inserted data...

PETER PAULY wrote:

> I'm using the "C" interface to write CGI code for a web application.  I allow
> the user to type data into a particular field, and am storing that data into a
> field in a postgres database.
>
> The problem is, I have to filter the data that the user entered to remove any
> single quotes and other odd characters so that my SQL command doesn't get
> messed up.   I'm building the command with printf and passing the filtered
> data from the user as so:
>
> update tablename set comment = '%s' where .....
>
> And %s is substituted in the printf with the user data. If the user typed in a
> single quote, it would cause havoc with the sql statement.  My question is, is

you should substitute single quote with two single quotes


> there a better way to pass data to these commands, than to build a command
> string like you see above?   My preference would be to pass a pointer to the
> data, or something like that.  (same issue with insert).
>
> ____________________________________________________________________
> Get free e-mail and a permanent address at http://www.netaddress.com/?N=1



--
___________________________________________________________________________
S.Ramaswamy
Matrix Infotech Syndicate
D-7, Poorti, Vikaspuri, New Delhi, 110018, India
PHONE: +91-11-5610050,   FAX: +91-11-5535103
WEB  :   http://MatrixInfotech.HyperMart.Net