[albatross-users] al-textarea not escaping '"' character

Michael C. Neel neel at mediapulse.com
Wed Oct 1 07:28:46 EST 2003 

Albatross escapes on disply, not on input.  in fact, it converts the
input from the url encoding the broswer done.

That aside, you should be writing:

result = c.execute("""INSERT INTO replies (postid, content, authorid,
                       timestamp) VALUES (%s, %s, %s, NOW());""", 
                               (postid, content, authorid))

This uses a placeholder, which has the effect of the cursor escaping for
you.  Notice you don't need the quotes either, nor will you need %d, %f,
etc. - the database decideds based on the field.

This is a lot safer than you trying to parse and strip out bad
characters; the database knows what it doesn't want to see and this code
has been strongly tested (assuming you're not using some off the wall
db, lol).

Mike


> -----Original Message-----
> From: Sheila King [mailto:sheila at thinkspot.net] 
> Sent: Tuesday, September 30, 2003 4:05 PM
> To: albatross-users at object-craft.com.au
> Subject: [albatross-users] al-textarea not escaping '"' character
> 
> 
> Using a somewhat patched version of 1.10
> 
> If I include a " character in an al-textarea element and 
> submit, it is not 
> being escapted to " when the data is retrieved. It's 
> weird, cuz < > 
> are being escaped, but not "
> 
> I noticed this because I'm trying to insert this data into a 
> MySQL db and 
> am getting errors like this:
> 
> ProgrammingError: (1064, 'You have an error in your SQL syntax near 
> \'quoted" reply...", 1, NOW())\' at line 2')
> 
> Where the query statement is:
> 
> result = c.execute("""INSERT INTO replies (postid, content, authorid,
>                                timestamp) VALUES (%s, "%s", 
> %s, NOW());""" 
> % \
>                                (postid, content, authorid))
> 
> It's the content field which is the textarea and holds, of 
> course, the 
> content of a reply.
> 
> If I escape the characters myself, I can successfully insert 
> them into the 
> MySQL database. Of course, displaying them later, after 
> retrieved, they 
> look ... uh... wrong. Guess I am going to have to re-escape 
> them back to 
> the original " character for displaying on the web page?
> 
> Recommendations? Suggestions?
> 
> Anyhow, I'm just puzzled that Albatross is not escaping the 
> character. I 
> looked at the tags.py file and see for the al-textarea 
> object, that it is 
> supposed to call the "escape" function defined near the top 
> of tags.py. I 
> am not using the "noescape" attribute on my al-textarea field.
> 
> -- 
> Sheila King
> http://www.thinkspot.net/sheila/
> http://www.k12groups.org
> 
> _______________________________________________
> Albatross-users mailing list
> Albatross-users at object-craft.com.au
> https://www.object-craft.com.au/cgi-bin/mailman/listinfo/albat
ross-users

More information about the Albatross-users mailing list