Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Quotes In CGI

by andrew (Acolyte)
on Oct 07, 2002 at 18:56 UTC ( #203450=perlquestion: print w/replies, xml ) Need Help??
andrew has asked for the wisdom of the Perl Monks concerning the following question:

Well Im having a problem if a user fills out one of my forms and puts somethi g in quotes, and when that gets printed from the database everything beyond the quptes is whiped out, they dont even show up in txt fields.

Replies are listed 'Best First'.
Re: Quotes In CGI
by dws (Chancellor) on Oct 07, 2002 at 19:32 UTC
    Show us code. I suspect that you're constucting an INSERT/UPDATE query by using string interpolation or simple concatenation (a bad idea), rather than using bind variables, which give you automagic, database-specific quoting.

    Ponder the difference between

    my $name = $cgi->param('name'); my $query = "INSERT ... VALUES($name)";
    my $name = $cgi->param('name'); my $query = "INSERT ... VALUES(" . dbi->quote($name) . ")";
    and note that quote() gets invoked automagically when you execute() a query and provide values for placeholders in the query.

Re: Quotes In CGI
by chromatic (Archbishop) on Oct 07, 2002 at 19:38 UTC

    Without seeing your code, I can only guess that you are not using the DBI module's quote() method. It escapes special characters so that they can be used in SQL properly. You might also want to look through the DBI manpage for placeholders, as they will perform quoting automatically.

Re: Quotes In CGI
by jlongino (Parson) on Oct 07, 2002 at 21:10 UTC
    How are you parsing/storing your CGI data? I had the same problem you're describing before I started frequenting Perlmonks. I used the $cgi->parm('var') methods but I used eval to create variables and assign their corresponding values:

    The following code is BAD! don't use it!

    sub doGetCGIvars { my $VarName; my $query = new CGI; foreach $VarName ($query->param) { $assign = "\$$VarName = '" . $query->param($VarName) . "'"; &UnTaint($assign); eval($assign); } }
    Why is this bad? Because any param that has a single quote in it will screw things up. Likewise, if I had used the following:
    $assign = "\$$VarName = \"" . $query->param($VarName) . '"';
    params containing a doublequote would screw things up. Instead, use one of the saner methods recommended by Ovid in his reply to Best way to parse CGI params and check out his CGI Course for more pointers and other reasons why you shouldn't use methods like the ones above to parse/store cgi data.


      I'm sure that you realize that single-quotes aren't the only reason the above code is very, very bad. If, for example, someone were to figure out what you're doing, they could call your script like this:
      This would eval (I think -- it's not tested), and do some potentially nasty things. I'm not devious enough to come up with something really nasty to do in a system call, but you get the idea... jpt
        You are correct, although your example would not work as you intended, something along the lines of the following would:
        script.cgi?x=' . system "any valid OS command here" . '
        the eval of which would look like this:
        $x = '' . system "any valid OS command here" . '';
        In this particular case, the UnTaint would not find any "naughty" symbols we associate with usual system cracking attempts. My focus, however was to address the cause of the poster's immediate problem. The references to the other links and the warning I think were sufficient. In his CGI Course, Ovid addresses these and other security issues.


Re: Quotes In CGI
by Anonymous Monk on Oct 07, 2002 at 19:37 UTC
    Your problem probably has something to with not escaping characters that should be escaped.

    The problem you describe has a lot of steps:

    - grabbing the data from CGI
    - putting the data in the database
    - getting the data out of the database
    - putting the data back into your html.

    Just try to find out in what step the data is lost by examining the data before and after every step.

    good luck!

Re: Quotes In CGI
by andrew (Acolyte) on Oct 07, 2002 at 20:13 UTC
    Its actually when I put it into the DBI! Hmm, and I am using placeholders!
Re: Quotes In CGI
by andrew (Acolyte) on Oct 07, 2002 at 20:19 UTC
    $ins = "INSERT INTO `items` (`category`, `itemid`, `description`, `lo +ngdescription`, `size`, `o1n`, `o1o`, `o2n`, `o2o`, `o3n`, `o3o`, `c1 +n`, `c1v`, `c2n`, `c2v`, `c3n`, `c3v`, `price`, `small`, `large`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, +?, ?)"; $sth = $dbh->prepare("$ins") or die $dbh->errstr; $sth->execute(map(scalar param($_), qw(cat itemid des longdes size o1 +n o1o o2n o2o o3n o3o c1n c1v c2n c2v c3n c3v)),$price,$small,$large) + or die $dbh->errstr;
      You're letting un-Taint-checked data into your database, though it should be correctly quoted. I hope you trust your users.

      Your original problem statement is:

      Well Im having a problem if a user fills out one of my forms and puts somethi g in quotes, and when that gets printed from the database everything beyond the quptes is whiped out, they dont even show up in txt fields.
      Let's break this down. From what you've shown, quotes in a field should get correctly quoted on insert to the database. Have you verified that data is truncated once it's in the database? Assuming that the corrupted data is from the "description" field, what does   SELECT description FROM items WHERE itemid=?
      show, when you plug in the right itemid?

      If it's correct in the database, then you've narrowed the search, and we can then start examining the path data takes on the way back from the database. E.g., If you're putting data that contains quotes into HTML edit controls, you'll need to entity-escape the data.

      And please post your responses under the correct node. It makes the discussion easier to follow.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://203450]
Approved by VSarkiss
Discipulus earthquake in roma..
[Corion]: Discipulus: Whoa! I hope just a minor quake
[Discipulus]: it is probably far from roma.. i hope is not another dramatic event..

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (5)
As of 2017-01-18 09:30 GMT
Find Nodes?
    Voting Booth?
    Do you watch meteor showers?

    Results (161 votes). Check out past polls.