Asp Forum - Ruby, MySQL, and apostrophe problem

Mark Adkins

2/12/2008 1:06:00 AM

I'm building a website for a university class that allows users to
submit links (though not "rank" them) a la Digg. The entire page is
built on a CGI script and uses HTML input fields, as well as a textarea.

Everything seems to work fine, except that if a user inputs an
apostrophe in any field of the form, the script breaks.

Is there some way of handling this, or do I need to warn people to not
use conjunctions or possessives?

Thanks so much.
--
Posted via http://www.ruby-....

4 Answers

Jeremy Kemper

2/12/2008 1:12:00 AM

On 2/11/08, Mark Adkins <kaujot@gmail.com> wrote:
> I'm building a website for a university class that allows users to
> submit links (though not "rank" them) a la Digg. The entire page is
> built on a CGI script and uses HTML input fields, as well as a textarea.
>
> Everything seems to work fine, except that if a user inputs an
> apostrophe in any field of the form, the script breaks.
>
> Is there some way of handling this, or do I need to warn people to not
> use conjunctions or possessives?

Escape any user-supplied data you put into a SQL query.

Google up on SQL injection for more.

Best,
jeremy

Mark Adkins

2/12/2008 1:24:00 AM

Jeremy Kemper wrote:
> On 2/11/08, Mark Adkins <kaujot@gmail.com> wrote:
>> I'm building a website for a university class that allows users to
>> submit links (though not "rank" them) a la Digg. The entire page is
>> built on a CGI script and uses HTML input fields, as well as a textarea.
>>
>> Everything seems to work fine, except that if a user inputs an
>> apostrophe in any field of the form, the script breaks.
>>
>> Is there some way of handling this, or do I need to warn people to not
>> use conjunctions or possessives?
>
> Escape any user-supplied data you put into a SQL query.
>
> Google up on SQL injection for more.
>
> Best,
> jeremy

Sorry, but how exactly do I escape the data?

Basically, the code is this

description = $cgi['description']

HTML stuff

puts #{description#}

Thanks again.

--
Posted via http://www.ruby-....

Jeremy Kemper

2/12/2008 1:27:00 AM

On 2/11/08, Mark Adkins <kaujot@gmail.com> wrote:
> Jeremy Kemper wrote:
> > On 2/11/08, Mark Adkins <kaujot@gmail.com> wrote:
> >> I'm building a website for a university class that allows users to
> >> submit links (though not "rank" them) a la Digg. The entire page is
> >> built on a CGI script and uses HTML input fields, as well as a textarea.
> >>
> >> Everything seems to work fine, except that if a user inputs an
> >> apostrophe in any field of the form, the script breaks.
> >>
> >> Is there some way of handling this, or do I need to warn people to not
> >> use conjunctions or possessives?
> >
> > Escape any user-supplied data you put into a SQL query.
> >
> > Google up on SQL injection for more.
> >
> > Best,
> > jeremy
>
> Sorry, but how exactly do I escape the data?
>
> Basically, the code is this
>
> description = $cgi['description']
>
> HTML stuff
>
> puts #{description#}

You need to investigate this and figure it out yourself, my friend :)

jeremy

Sharon Rosner

2/12/2008 5:46:00 AM

> Is there some way of handling this, or do I need to warn people to not
> use conjunctions or possessives?

Just use Sequel and forget about SQL injection:

http://sequel.rub...

If you need more help we are here:

http://groups.google.com/group/s...

best
sharon

comp.lang.ruby

Ruby, MySQL, and apostrophe problem

Mark Adkins

Jeremy Kemper

Mark Adkins

Jeremy Kemper

Sharon Rosner

x Login to ForumsZone