[Zope] truncations in form input due to quotes problem

Chris Beaumont cbeaumon@msri.org
Wed, 5 Feb 2003 16:44:02 -0800 (PST)


Jim,

Yes, I know, and I use sqlvar on the final step, but this is a
multi-page form and I use hidden form fields to pass the values from the
first page to the second.. *then* I save the data to my database on the
last step..

But your suggestion makes me realize that perhaps the multi-page form
isn't the way to go, since that seems to be where the truncation is
occuring..

Thank you..

-Chris





> On Wed, Feb 05, 2003 at 04:08:54PM -0800, Chris Beaumont wrote:
> > I have some HTML forms that feed their data to a ZSQL method for
> > insertion into a database.. I've been having a problem with the input to
> > the fields getting truncated.. I think this is due to quotes in the
> > input text.. Does anyone have a solution to this problem? Its common for
> > people to use quotes in the input to HTML forms..
> 
> Oh, god, you are in trouble.
> 
> Every piece of ZSQL MUST has form
> <dtml-sqlvar ..... type=...>
> or <dtml-var .... sql_quote>.
> 
> Otherwise you are left wide open to SQL injection attacks.
> 
> Jim Penny