• Post Reply Bookmark Topic Watch Topic
  • New Topic

encode/decode  RSS feed

 
D Wynn
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello--
I have a question...I'm writing a application that takes input from a users and stores that data in a Oracle database. One of the fields on the input form is a comments field. I first thought was to use JavaScript to not allow the users to enter in things like... ', +, = or anything that would cause the database update not to work. But then I ran across encode and decode but I'm sure how I and when to use them. Help please!
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are bulding a string like "INSERT INTO COMMENT ..." with your comment text inline you can get into trouble with special characters like that. If you use a prepared statement instead you can avoid those headaches. Or you can look at the Apache StringEscapeUtils which has an escapeSql() method
 
D Wynn
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I looked at that but will that allow me to store that single quote on the database?...
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would advise to do anything that makes the input acceptable to the DB on the server. Not everybody has JavaScript enabled, and in any case client-side checks can be circumvented easily by malicious users. you should also read up on "SQL injection", and make sure that your application is not susceptible to it. Basically, any user input that finds its way into the DB should be treated with suspicion, and be verified. The Security FAQ has some links to articles on this.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!