Jim, Yes, I know, and I use sqlvar on the final step, but this is a multi-page form and I use hidden form fields to pass the values from the first page to the second.. *then* I save the data to my database on the last step.. But your suggestion makes me realize that perhaps the multi-page form isn't the way to go, since that seems to be where the truncation is occuring.. Thank you.. -Chris
On Wed, Feb 05, 2003 at 04:08:54PM -0800, Chris Beaumont wrote:
I have some HTML forms that feed their data to a ZSQL method for insertion into a database.. I've been having a problem with the input to the fields getting truncated.. I think this is due to quotes in the input text.. Does anyone have a solution to this problem? Its common for people to use quotes in the input to HTML forms..
Oh, god, you are in trouble.
Every piece of ZSQL MUST has form <dtml-sqlvar ..... type=...> or <dtml-var .... sql_quote>.
Otherwise you are left wide open to SQL injection attacks.
Jim Penny