[albatross-users] al-textarea not escaping '"' character
Michael C. Neel
neel at mediapulse.com
Wed Oct 1 07:28:46 EST 2003
Albatross escapes on disply, not on input. in fact, it converts the
input from the url encoding the broswer done.
That aside, you should be writing:
result = c.execute("""INSERT INTO replies (postid, content, authorid,
timestamp) VALUES (%s, %s, %s, NOW());""",
(postid, content, authorid))
This uses a placeholder, which has the effect of the cursor escaping for
you. Notice you don't need the quotes either, nor will you need %d, %f,
etc. - the database decideds based on the field.
This is a lot safer than you trying to parse and strip out bad
characters; the database knows what it doesn't want to see and this code
has been strongly tested (assuming you're not using some off the wall
db, lol).
Mike
> -----Original Message-----
> From: Sheila King [mailto:sheila at thinkspot.net]
> Sent: Tuesday, September 30, 2003 4:05 PM
> To: albatross-users at object-craft.com.au
> Subject: [albatross-users] al-textarea not escaping '"' character
>
>
> Using a somewhat patched version of 1.10
>
> If I include a " character in an al-textarea element and
> submit, it is not
> being escapted to " when the data is retrieved. It's
> weird, cuz < >
> are being escaped, but not "
>
> I noticed this because I'm trying to insert this data into a
> MySQL db and
> am getting errors like this:
>
> ProgrammingError: (1064, 'You have an error in your SQL syntax near
> \'quoted" reply...", 1, NOW())\' at line 2')
>
> Where the query statement is:
>
> result = c.execute("""INSERT INTO replies (postid, content, authorid,
> timestamp) VALUES (%s, "%s",
> %s, NOW());"""
> % \
> (postid, content, authorid))
>
> It's the content field which is the textarea and holds, of
> course, the
> content of a reply.
>
> If I escape the characters myself, I can successfully insert
> them into the
> MySQL database. Of course, displaying them later, after
> retrieved, they
> look ... uh... wrong. Guess I am going to have to re-escape
> them back to
> the original " character for displaying on the web page?
>
> Recommendations? Suggestions?
>
> Anyhow, I'm just puzzled that Albatross is not escaping the
> character. I
> looked at the tags.py file and see for the al-textarea
> object, that it is
> supposed to call the "escape" function defined near the top
> of tags.py. I
> am not using the "noescape" attribute on my al-textarea field.
>
> --
> Sheila King
> http://www.thinkspot.net/sheila/
> http://www.k12groups.org
>
> _______________________________________________
> Albatross-users mailing list
> Albatross-users at object-craft.com.au
> https://www.object-craft.com.au/cgi-bin/mailman/listinfo/albat
ross-users
More information about the Albatross-users
mailing list