JRS: In article <du***********@ news.imp.ch>, dated Sat, 11 Mar 2006
10:30:21 remote, seen in news:comp.lang. javascript, Stefan Mueller
<se************ **@yahoo.com> posted :
I've a web page with several input boxes. After the user clicks 'submit' I
insert these data into my MySQL database.
This worked for several months perfect. But today a user entered the street
name
Route d'Yverdon 59
unfortunatel y the data has not been inserted into my MySQL database because
of the apostroph (') in the name of the street.
I've no idea how to deal with this problem.
Is there any possibility to avoid that my PHP & Java scripts don't interpret
apostrophs (') and semicolons (")?
Any string input by the user needs to be checked to make sure (at least)
that it contains no harmful characters and is of safe length.
That *can* be done at the client, so that the user can correct before
transmission. But it *must* be done at the server end, if only to
defend against malice. You may be able to replace the offending
character by a similar but harmless one, or to precede it with an escape
character (maybe \), or render it in Unicode or similar.
Omitting quibble, ' is apostrophe or single-quote, " is quote or double-
quote, and semicolon or semi-colon is ; .
You'll need to check language specifications to see what is allowed.
Note that in javascript a'b"c is a legitimate string, and can be
entered by way of a text control. But it cannot be written in that form
as a literal, though "a'b\"c" and 'a\'b"c' and "a\u0027b\u0022 c"
can (E&OE) be used in code.
--
© John Stockton, Surrey, UK. ?@merlyn.demon. co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.c om/faq/> JL/RC: FAQ of news:comp.lang. javascript
<URL:http://www.merlyn.demo n.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demo n.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.