How could I process the quotation mark in the input box of a web page?

Question

The users may input some special chars in the input box：

 <input type="text" name="task_description" id="task_description" value="<?cs var:Query.task_description?>">

double quotation marks and single quotation marks for example. I need to get their input text and insert the task_description into my database table.

On my server, I write my cgi using C++, and my database is mySQL.

the user's input will be transferred to the server in JSON.

the problem is on the server side, when I want to get the strings input by the users in

JSON, I just can not get the right one. for example:

if the user input:

hello " " hello

on the server side I get the input string in the JSON like this:

static string get_escape_string(const string& src)
{
     static char escape_buffer[1024*1024];
     mysql_escape_string(escape_buffer, src.c_str(), src.length());
     string dst(escape_buffer, strlen(escape_buffer));
     return dst;
 }

//here is how I get the user's input
string remarks = get_escape_string(record[i]["remarks"].asString());

the "record" is the JSON data, after the operation I can only get: hello

it is truncated at the first double quoation mark.

I tried to use the function "escape" in the front end javascript code, but "escape" can not

code double quotation mark.

How could I deal with the double and single quotation marks?

thanks in advance!

Are you asking how to strip off the special characters before inserting to the database? — Harsha Venkataramu, Jun 19 '13 at 06:32
I permit the user to input everything they want, so I don't want to strip off the special chars, on my server side, i write my cgi using C++, the user's input will be transferred to the server in JSON, and my database is mysql. the problem is when I want to get the strings input by the users in JSON, I just can not get the right one. — Y.L., Jun 19 '13 at 10:10

score 2 · Accepted Answer · answered Jun 19 '13 at 06:32

How could I deal with the double and single quotation marks?

The same way you deal with all DB input: Using parameterized queries. Never build up SQL strings using string concatenation. (Obligatory link to xkcd.)

How you do that will depend on what server-side technology you're using, which you haven't listed.

Similarly, when outputting the text of something into the value attribute in the HTML, you'll need to use a function (which is probably provided in your server-side environment) that correctly encodes that text as HTML (since attribute values are HTML), which will turn double quotes into " entities and similar.

How could I process the quotation mark in the input box of a web page?

1 Answers1