form gives error when user submit "'" (single quote) in the form
Cliff Wells
clifford.wells at comcast.net
Wed Oct 20 08:27:53 EDT 2004
On Wed, 2004-10-20 at 00:24 -0700, Sheetal wrote:
> I have a text area form element in my HTML form. When a user enters
> the "'" in the form the form throws an error when i use the value to
> enter in the database.
You need to either quote the data using whatever quote function the
database module you're using (you didn't say) provides (psycopg, for
example, provides the QuotedString function), or better, just let the
cursor.execute() method do it for you:
cursor.execute("INSERT INTO foo (bar) VALUES (%s)", (input,))
Incidentally, you should *always* make sure data is quoted before going
into the database. Especially user-supplied data. You are flirting
with disaster inserting unquoted data directly from the web. Consider
the following:
input = "'); DROP TABLE foo; --"
cursor.execute("INSERT INTO foo (bar) VALUES ('%s')" % (input,))
It's also possible to bypass username/password checks using similar
techniques.
Regards,
Cliff
--
Cliff Wells <clifford.wells at comcast.net>
More information about the Python-list
mailing list