Re: [Zope] truncations in form input due to quotes problem
Jim, Yes, I know, and I use sqlvar on the final step, but this is a multi-page form and I use hidden form fields to pass the values from the first page to the second.. *then* I save the data to my database on the last step.. But your suggestion makes me realize that perhaps the multi-page form isn't the way to go, since that seems to be where the truncation is occuring.. Thank you.. -Chris
On Wed, Feb 05, 2003 at 04:08:54PM -0800, Chris Beaumont wrote:
I have some HTML forms that feed their data to a ZSQL method for insertion into a database.. I've been having a problem with the input to the fields getting truncated.. I think this is due to quotes in the input text.. Does anyone have a solution to this problem? Its common for people to use quotes in the input to HTML forms..
Oh, god, you are in trouble.
Every piece of ZSQL MUST has form <dtml-sqlvar ..... type=...> or <dtml-var .... sql_quote>.
Otherwise you are left wide open to SQL injection attacks.
Jim Penny
Yes, I know, and I use sqlvar on the final step, but this is a multi-page form and I use hidden form fields to pass the values from the first page to the second.. *then* I save the data to my database on the last step..
But your suggestion makes me realize that perhaps the multi-page form isn't the way to go, since that seems to be where the truncation is occuring..
Haven't tried this myself, but (I suspect) you need to do something like <input type="hidden" name="somename" value="<dtml-var somevalue html_quote>"> Without good ol' html_quote in there, you get truncated. You might need url_quote, but probably not. --jcc
I've been using the &dtml.missing-xyz; format which I thought was html_quote-ed. But maybe not, because it appears to fix it.. I wonder if perhaps it might have been something else.. I'll need to bang on it a bit more.. *Thank you!*
Yes, I know, and I use sqlvar on the final step, but this is a multi-page form and I use hidden form fields to pass the values from the first page to the second.. *then* I save the data to my database on the last step..
But your suggestion makes me realize that perhaps the multi-page form isn't the way to go, since that seems to be where the truncation is occuring..
Haven't tried this myself, but (I suspect) you need to do something like
<input type="hidden" name="somename" value="<dtml-var somevalue html_quote>">
Without good ol' html_quote in there, you get truncated. You might need url_quote, but probably not.
--jcc
I've been using the &dtml.missing-xyz; format which I thought was html_quote-ed.
Considering its intended use, it probably should be.
But maybe not, because it appears to fix it.. I wonder if perhaps it might have been something else..
I'll need to bang on it a bit more..
*Thank you!*
Maybe I can save you a little time: dtml entity syntax doesn't html-quote unless you do something like &dtml.html_quote-someVar; unless I'm quite mistaken. Hmm... http://www.zope.org/Members/AlexR/EntitySyntax looks like a good reference for that. --jcc (*you're welcome*)
participants (2)
-
Chris Beaumont -
J Cameron Cooper