0

I need to make a form with a Text Area that accepts lines of script, any kind of script be it javascript, css, html, vbscript, whatever. How can the script be passed to a form post?

EDIT: How can this script be modified so it can be inserted into a Database? Specifically SQL Server 2005

William Calleja
  • 4,055
  • 11
  • 41
  • 51

1 Answers1

1

In the normal way, it's just text. It only becomes "script" when you ask a script interpreter to interpret it (or a compiler to compile it; these lines are getting blurrier and blurrier). So you can include it in your form in exactly the same way you would if it were where someone should type anything else — a forum post, a question, an answer, a brief description of their job, a love letter... :-)

Edit Re your edit follow-up, what you need to do is properly pre-process the text. This doesn't only relate to script, you run into issues with normal text too. Here are some links addressing this in the context of SQL injection attacks, but the techniques are the same whether you're defending against SQL injection or just trying to support having a single quote in someone's name.

Starting with a fun comic:

http://imgs.xkcd.com/comics/exploits_of_a_mom.png

...and then referencing some useful stuff:

http://en.wikipedia.org/wiki/Sql_injection

Classic ASP SQL Injection Protection

How can I avoid SQL injection attacks?

Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

Community
  • 1
  • 1
T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
  • That is true however in the process of saving this information to a database, it being a script is causing all sorts of havok with the SQL Statement. That's what I really need help with. – William Calleja Apr 08 '10 at 16:16
  • @William: It sounds as though you're not pre-processing the text correctly, which has all sorts of implications, not least making the app susceptible to SQL injection attacks: http://en.wikipedia.org/wiki/Sql_injection, http://imgs.xkcd.com/comics/exploits_of_a_mom.png The solution is the same for script as for other text, use a parameterized statement when doing your SQL insert/update (whatever those look like in your environment; for instance, in Java you might use `java.sql.PreparedStatement`). If you search for "SQL Injection" on SO (or generally) you'll find tutorials about it. – T.J. Crowder Apr 08 '10 at 16:20
  • Thanks a lot T.J. I really wasn't giving sql injection any though tat all. – William Calleja Apr 09 '10 at 09:53