[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: set action and SQL inserts and embedded single quotation marks
****** message to minivend-users from mikeh@minivend.com ******
Quoting Brian Bullen (brian@beryl.sol.co.uk):
>
> My users are trying to enter text strings with single quotation marks
> into a form which is used to insert a new record into a SQL table.
> i.e. the action from mv_todo variable is "set"
>
> To replace single quotes by two quote marks
> in values being inserted I think it is necessary to add a line
> to sub 'update_data' in minivend itself:
>
> HTML::Entities::decode($value) if $decode;
> $value =~ s/'/''/g; # 990126 Quote quotation marks
Suggest using this instead:
$value = $db->quote($value,$_) if $type eq 'sql';
That will only quote non-numeric (I know some/most SQLs handle quoted
numerics, but not all).
I am adding this to the 3.12 code.
> $select_key = $value if $_ eq $prikey;
> push(@v, $value);
>
> As these are CGI values being read directly I dont think I can
> do the replacement in an mv_click route (with Perl cgi I only get
> read access to these values ?)
I don't think mv_click parsing is done for 'set'.
Thanks for finding the bug!
--
Mike Heins http://www.minivend.com/ ___
Internet Robotics |_ _|____
Fast, reliable, cheap. 131 Willow Lane, Floor 2 | || _ \
Pick two and we'll talk. Oxford, OH 45056 | || |_) |
-- unknown <mikeh@minivend.com> |___| _ <
513.523.7621 FAX 7501 |_| \_\
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
