Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 467
  • Last Modified:

Populating a MYSQL DB from a textarea

I have the following input in a form on a web site.


<TD> Other Information<br>
<textarea cols = "50" rows = "4" Name = "txtInformation"> </textarea>
</TD>
   
The form posts to an asp page which amongst other things populates a MYSQL data base

as follows
 
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')") - lots of other things here but I have taken them out for simplicitiy's sake.

This all works well with normal text

"You are looking good" for instance works fine but as soon as we try
"You're looking good" the system falls down.

The Field in the DB is set to longtext.

Do I need to adjust the field?

Your assistance would be much appreciated
0
Misafi
Asked:
Misafi
  • 4
  • 4
  • 3
1 Solution
 
VoteyDiscipleCommented:
You have to "escape" quote marks by putting a \ before each one.  Replace ' with \' and it will work fine.

You should be doing this with ALL text fields (not just <textarea>s) since allowing 's in your user data makes it very easy for a user to hack your database (e.g. to delete its entire contents).
0
 
AlexNekCommented:
You need to replace such a text because single ' and "  not allowed as Db string
You're looking good --> You''re looking good
You're looking good--> You &prime; re looking good
0
 
MisafiAuthor Commented:
Thank you VoteyDisciple and Alexnek

Sorry, I'm obviously being a bit dim here (notice the "I'm"- which this program allows).
The point is  - how do I allow the user to type  ' . ? It would not be practical to ask him to type a \ before each one.

It is the visitor to the site who is typing the input into the textarea.

rgds

Misafi

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
VoteyDiscipleCommented:
Of course you can't rely on the user here; it's the programmer's job to prepare the SQL query, including escaping user input.  Since in this case you need to do a string replacement, the Replace() function should be perfect:

Information = Replace(Information, "'", "\'")
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')")

(And likewise use a call to Replace() for any other part of the query that comes from the user.)
0
 
AlexNekCommented:
You miust not disallow to type some symbols, you must convert "illegal" symbols to legal. Just add over theprogramm backslash before write to the database and convert it back before view.
0
 
VoteyDiscipleCommented:
Actually there's no need at all to "convert back" when using the data.  The \ will not actually get stored in the database at all; it's just part of the query.  Just as the "INSERT INTO" and "VALUES" have nothing to do with how the data get stored in the table, the \ is just another piece of syntax to write an INSERT statement.

If you write:

INSERT INTO buy (field) VALUES ('I\'m an Apostrophe');

... and then write...

SELECT field FROM buy

... you'll see...

I'm an Apostrophe


MySQL has no problem storing or displaying data with quote marks in it, it just has to be able to understand that INSERT query in the first place.  If you find yourself having to remove backslashes from database data when displaying it, something somewhere has gone wrong.
0
 
MisafiAuthor Commented:
The point is that I need the visitor to the site to be able to type in what he wants. Just as I'm doing here in this particular text area (The Expert's Exchange comments area) - How do I do that?
The visitor cannot be expected to know whether or not to use a \

rgds

Misafi
0
 
AlexNekCommented:
you can change Information string just  before
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')")
0
 
MisafiAuthor Commented:
Thanks, AlexNek - Sorry - I didn't pick up on your earlier point.

Does that mean that it is only the apostrophe that gives problems?
Are dashes - accents - double quotation marks - hashes etc all acceptable?
Or do I have to call a replace for all of these - if so can you direct me to a site where I can fine them.

rgds

Misafi
0
 
AlexNekCommented:
here is special charachter
http://publib.boulder.ibm.com/infocenter/cldscp10/index.jsp?topic=/com.ibm.cloudscape.doc/sqlj08.htm
You can find mySQL descrrption here:
http://dev.mysql.com/doc/refman/4.1/en/index.html
You must think about SQL insert syntax INSERT INTO buy VALUES '',''
if your string  contain ' that it could be interpeted as closed  apostroph, so you need to prevent it. it can be did with additional backslash or with dublication of character.
0
 
MisafiAuthor Commented:
Many thanks for your help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now