Solved

Populating a MYSQL DB from a textarea

Posted on 2006-11-26
11
385 Views
Last Modified: 2008-02-01
I have the following input in a form on a web site.


<TD> Other Information<br>
<textarea cols = "50" rows = "4" Name = "txtInformation"> </textarea>
</TD>
   
The form posts to an asp page which amongst other things populates a MYSQL data base

as follows
 
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')") - lots of other things here but I have taken them out for simplicitiy's sake.

This all works well with normal text

"You are looking good" for instance works fine but as soon as we try
"You're looking good" the system falls down.

The Field in the DB is set to longtext.

Do I need to adjust the field?

Your assistance would be much appreciated
0
Comment
Question by:Misafi
  • 4
  • 4
  • 3
11 Comments
 
LVL 19

Expert Comment

by:VoteyDisciple
ID: 18014498
You have to "escape" quote marks by putting a \ before each one.  Replace ' with \' and it will work fine.

You should be doing this with ALL text fields (not just <textarea>s) since allowing 's in your user data makes it very easy for a user to hack your database (e.g. to delete its entire contents).
0
 
LVL 16

Expert Comment

by:AlexNek
ID: 18014508
You need to replace such a text because single ' and "  not allowed as Db string
You're looking good --> You''re looking good
You're looking good--> You &prime; re looking good
0
 

Author Comment

by:Misafi
ID: 18014802
Thank you VoteyDisciple and Alexnek

Sorry, I'm obviously being a bit dim here (notice the "I'm"- which this program allows).
The point is  - how do I allow the user to type  ' . ? It would not be practical to ask him to type a \ before each one.

It is the visitor to the site who is typing the input into the textarea.

rgds

Misafi

0
 
LVL 19

Expert Comment

by:VoteyDisciple
ID: 18014817
Of course you can't rely on the user here; it's the programmer's job to prepare the SQL query, including escaping user input.  Since in this case you need to do a string replacement, the Replace() function should be perfect:

Information = Replace(Information, "'", "\'")
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')")

(And likewise use a call to Replace() for any other part of the query that comes from the user.)
0
 
LVL 16

Expert Comment

by:AlexNek
ID: 18014825
You miust not disallow to type some symbols, you must convert "illegal" symbols to legal. Just add over theprogramm backslash before write to the database and convert it back before view.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 19

Expert Comment

by:VoteyDisciple
ID: 18014847
Actually there's no need at all to "convert back" when using the data.  The \ will not actually get stored in the database at all; it's just part of the query.  Just as the "INSERT INTO" and "VALUES" have nothing to do with how the data get stored in the table, the \ is just another piece of syntax to write an INSERT statement.

If you write:

INSERT INTO buy (field) VALUES ('I\'m an Apostrophe');

... and then write...

SELECT field FROM buy

... you'll see...

I'm an Apostrophe


MySQL has no problem storing or displaying data with quote marks in it, it just has to be able to understand that INSERT query in the first place.  If you find yourself having to remove backslashes from database data when displaying it, something somewhere has gone wrong.
0
 

Author Comment

by:Misafi
ID: 18015133
The point is that I need the visitor to the site to be able to type in what he wants. Just as I'm doing here in this particular text area (The Expert's Exchange comments area) - How do I do that?
The visitor cannot be expected to know whether or not to use a \

rgds

Misafi
0
 
LVL 16

Expert Comment

by:AlexNek
ID: 18015195
you can change Information string just  before
set rs = conn.Execute("INSERT INTO buy VALUES ('',  '"+Information+"')")
0
 

Author Comment

by:Misafi
ID: 18017251
Thanks, AlexNek - Sorry - I didn't pick up on your earlier point.

Does that mean that it is only the apostrophe that gives problems?
Are dashes - accents - double quotation marks - hashes etc all acceptable?
Or do I have to call a replace for all of these - if so can you direct me to a site where I can fine them.

rgds

Misafi
0
 
LVL 16

Accepted Solution

by:
AlexNek earned 250 total points
ID: 18018819
here is special charachter
http://publib.boulder.ibm.com/infocenter/cldscp10/index.jsp?topic=/com.ibm.cloudscape.doc/sqlj08.htm
You can find mySQL descrrption here:
http://dev.mysql.com/doc/refman/4.1/en/index.html
You must think about SQL insert syntax INSERT INTO buy VALUES '',''
if your string  contain ' that it could be interpeted as closed  apostroph, so you need to prevent it. it can be did with additional backslash or with dublication of character.
0
 

Author Comment

by:Misafi
ID: 18018842
Many thanks for your help
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now