-1

I have a form, not unlike the post question/comment on this site that I want to post to a field in a database.

However if someone where to put special characters such as @#;"| either fails or does not insert correctly. Is there a way to insert said data into a database without Perl trying to treat certain characters as operators?

Sinan Ünür
  • 116,958
  • 15
  • 196
  • 339
Mose
  • 541
  • 1
  • 11
  • 27
  • 3
    what code do you have that breaks? yes, there is a way, but you've not given enough information. – msw Jul 01 '10 at 18:01
  • possible duplicate of [special Characters in Perl](http://stackoverflow.com/questions/3153972/special-characters-in-perl) – Ether Jul 01 '10 at 18:26
  • Right, this isn't even at the database issue yet, which is why I opened a seperate question. Taking the database element out of the scenario, if I wanted to type a message that used special characters, assign it to a variable, and submit the page to itself and print that variable - perl would interpret many of the special characters as operators. Remember, Im not only trying to escape ' but every other special character. I want the textarea to operate just like the add comment here. Once I can pass text to a variable, the database part should work just fine. – Mose Jul 01 '10 at 19:39
  • 2
    possible duplicate of [How can I protect against SQL injection attacks using Perl's DBI?](http://stackoverflow.com/questions/2300765/how-can-i-protect-against-sql-injection-attacks-using-perls-dbi) – Sinan Ünür Jul 01 '10 at 20:34
  • 1
    @mose, try this: argue with the people who answer your first take on your broken code question not to your satisfaction, and decline to answer "show us your code" so we can fix it for you. Rock on, welcome to StackOverflow. – msw Jul 01 '10 at 20:37
  • @msw Not sure where your getting all that from. People are giving me database connections, however before I even test against the database the code is parsing special characters. I really didn't think I needed to print this to get the point accross, but here goes: $var =q {!@#$%^&*()_+{}][\:;'"<>.,/?}; print $var prior to posting this researched the DBI->quote, and it didn't work in the scenario that is asking about all special characters, not just single qoutes. – Mose Jul 01 '10 at 21:11
  • @msw For instance: $var = q{testing $pecial ch@racter's}; returns something to the effect of: testing 0ecial cha0acter''s – Mose Jul 01 '10 at 21:21
  • 1
    Odd, I get `testing $pecial ch@racter's` in `$var`. You are still not showing the code that breaks. Here is a Fine Manual: http://perldoc.perl.org/perlop.html#Quote-and-Quote-like-Operators – msw Jul 01 '10 at 21:50
  • @msw: This guy posted exactly the same question here: http://stackoverflow.com/questions/3153972 ... again, he argued with the answers he got (which, unsurprisingly, were the same as here), and refused to show the part of the code that was actually broken, despite requests... *sigh* – psmears Jul 03 '10 at 13:37

1 Answers1

3

You could use the quote database handle method. To quote the documentation:

quote

$sql = $dbh->quote($value);
$sql = $dbh->quote($value, $data_type);

Quote a string literal for use as a literal value in an SQL statement, by escaping any special characters (such as quotation marks) contained within the string and adding the required type of outer quotation marks.

$sql = sprintf "SELECT foo FROM bar WHERE baz = %s", $dbh->quote("Don't");

A better practice is to use placeholders and bind values though:

$dbh->do("INSERT INTO foo VALUES(?)", undef, "@#;|");
Eugene Yarmash
  • 142,882
  • 41
  • 325
  • 378