Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

encode/decode

 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello--
I have a question...I'm writing a application that takes input from a users and stores that data in a Oracle database. One of the fields on the input form is a comments field. I first thought was to use JavaScript to not allow the users to enter in things like... ', +, = or anything that would cause the database update not to work. But then I ran across encode and decode but I'm sure how I and when to use them. Help please!
 
(instanceof Sidekick)
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are bulding a string like "INSERT INTO COMMENT ..." with your comment text inline you can get into trouble with special characters like that. If you use a prepared statement instead you can avoid those headaches. Or you can look at the Apache StringEscapeUtils which has an escapeSql() method
 
D Wynn
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I looked at that but will that allow me to store that single quote on the database?...
 
Rancher
Posts: 43016
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would advise to do anything that makes the input acceptable to the DB on the server. Not everybody has JavaScript enabled, and in any case client-side checks can be circumvented easily by malicious users. You should also read up on "SQL injection", and make sure that your application is not susceptible to it. Basically, any user input that finds its way into the DB should be treated with suspicion, and be verified. The Security FAQ has some links to articles on this.
 
I'm not sure if I approve of this interruption. But this tiny ad checks out:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic