I'm using the "C" interface to write CGI code for a web application. I allow
the user to type data into a particular field, and am storing that data into a
field in a postgres database.
The problem is, I have to filter the data that the user entered to remove any
single quotes and other odd characters so that my SQL command doesn't get
messed up. I'm building the command with printf and passing the filtered
data from the user as so:
update tablename set comment = '%s' where .....
And %s is substituted in the printf with the user data. If the user typed in a
single quote, it would cause havoc with the sql statement. My question is, is
there a better way to pass data to these commands, than to build a command
string like you see above? My preference would be to pass a pointer to the
data, or something like that. (same issue with insert).
____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1