Announcement

Collapse
No announcement yet.

How to escape single quote characters in TEXTAREA input?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    How to escape single quote characters in TEXTAREA input?

    How do I insert a "\" character in front of any inputed single quotes ?
    I have a form with a textarea input field used for entering customer Notes. I use a third party tool to SQL insert a row, (including that TEXTAREA input), into a custom table. There are many PHP examples that exist , but none that I can find in SMT. My users will enter a word like "don't" or "O'Neill" and of course MySQL gets upset with the "extra" single quote.
    Tags: None
    #2
    Re: How to escape single quote characters in TEXTAREA input?

    You want to take the value of the textarea and encode it.
    Bruce Golub
    Phosphor Media - "Your Success is our Business"

    Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
    phosphormedia.com

    Comment

      #3
      Re: How to escape single quote characters in TEXTAREA input?

      Inserting form fields values into SQL databases can open your site up to code injection attacks. Each form variable must be fully qualified. Unfortunately the encodeing done by Miva Merchant won't protect you.

      Toolbelt 5.407 has a function MySqlEscape() that is designed for that exact purpose; it was derived from the similarly named php function.

      There was a discussion of that subject here http://extranet.mivamerchant.com/for...d.php?t=103220 where I posted the source code.

      It will protect your site and allow the apostrophy (and other potentially dangerous characters) to be correctly entered into the note field you describe above.
      Ray Yates
      "If I have seen further, it is by standing on the shoulders of giants."
      --- Sir Isaac Newton

      Comment

        #4
        Re: How to escape single quote characters in TEXTAREA input?

        Thanks, I'm using the function and it works beautifully. My site is less susceptible to SQL injection since 95% of all SQL statements are SMT created and I don't have a search function. In the case where I needed to escape the single quote characters SMT provided all of the SQL statement except for the ('value1','value2',...) in the VALUES part.

        Comment

          #5
          Re: How to escape single quote characters in TEXTAREA input?

          As long as you are using the MvOPENVIEW syntax correctly with fields parameter, you should not have an issue with SQL injection. No extra module needed. Just make sure if you are writing a module, you write it with the correct syntax. All the regular module suppliers know to do that, buy someone who hasn't written a Miva module may not know about the safety feature that Miva has built in.

          As far as XSS, the &mvte should take care of that in your text areas.
          Bill Weiland - Emporium Plus http://www.emporiumplus.com/store.mvc
          Online Documentation http://www.emporiumplus.com/tk3/v3/doc.htm
          Question http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS
          Facebook http://www.facebook.com/EmporiumPlus
          Twitter http://twitter.com/emporiumplus

          Comment

          Previous template Next
          Working...
          X