"Michael Hill" <hillmw_at_charter.net> wrote in message
news:101krd93fbhpe3d_at_corp.supernews.com...
> The users will cry, bitch, moan, groan, and other stuff if their
ampersands
> gets stripped out.
>
> That's what I am asking.
>
> Am I hearing that the predominate "fix" is to strip out characters like &,
> ", and others?
>
> Mike
>
> "Daniel Morgan" <damorgan_at_x.washington.edu> wrote in message
> news:1075442605.684654_at_yasure...
> > Chris O wrote:
> >
> > > "Daniel Morgan" <damorgan_at_x.washington.edu> wrote in message
> > > news:1075422191.224621_at_yasure...
> > >
> > >>Michael Hill wrote:
> > >>
> > >>
> > >>>I have a general question about how people generally tend to deal
with
> > >>>users data that they enter.
> > >>>
> > >>>As an example users enter double quotes in a text field surrounding a
> > >>>specific piece of text they want to hi-lite and then it barfs during
> the
> > >>>oracle insert step because the string is not properly delimited.
> > >>>
> > >>>Another example is where the ampersand causes trouble when used on an
> > >>>xml page so provisions are made to insert it into the table using the
> > >>>ascii equavalent & . But the field is only 25 characters so when
a
> > >>>string with 25 characters that has an ampersand is being input and we
> > >>>change the ampersand to the ascii equavalent we now have more then 25
> > >>>characters and update fails beacuse we have too many characters. We
> > >>>could truncate them before the insert, or we could write some code to
> > >>>deal with them onthe client.
> > >>>
> > >>>Others copy and paste from word documents into a text field and in it
> > >>>there are hidden formatting fields like bullets.
> > >>>
> > >>>The users barf and complain about the application, but what we have
> here
> > >>>is bad data.
> > >>>
> > >>>How do most handle these?
> > >>>
> > >>>Mike
> > >>
> > >>The TRANSLATE function.
> > >>
> > >>--
> > >>Daniel Morgan
> > >>http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
> > >>http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
> > >>damorgan_at_x.washington.edu
> > >>(replace 'x' with a 'u' to reply)
> > >>
> > >
> > > Daniel. I agreed but I would go further to suggest that the preferred
> > > approach [depending on the tool] would be to not build the SQL
> dynamically
> > > but rather to use a bind variable. Only as a last resort should the
> dynamic
> > > SQL be used.
> > >
> > > Michael you might want to check out Pete Finnigan's articles on SQL
> > > Injection: http://www.petefinnigan.com/orasec.htm
> > >
> > > Cheers Chris
> >
> > I see no evidence of dynamic SQL having anything to do with the OP's
> > question. Perhaps this is my error but what I saw was:
> >
> > SQL> CREATE TABLE test (
> > 2 testcol VARCHAR2(20));
> >
> > SQL> insert into test values (TRANSLATE('ABC&DEF', 'A&', 'A'));
> >
> > 1 row created.
> >
> > SQL> select * from test;
> >
> > TESTCOL
> > --------------------
> > ABCDEF
> >
> > SQL>
> >
> > Ampersand stripped out.
> >
> > --
> > Daniel Morgan
> > http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
> > http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
> > damorgan_at_x.washington.edu
> > (replace 'x' with a 'u' to reply)
> >
>
>
Not as far as I figure. The correct method is not to store presentation
related information in source data. That is, store what you want to present
in the column but keep the presentation separate. That is, perform the
translation of the '&' character to '&' or whatever at the point of
translation into a presentation document. If XML is used as an intermediate
document then you translate the '&' --> '&' at the time you generate the
XML document and not when you store the original content.
Cheers Chris
Received on Fri Jan 30 2004 - 09:19:53 CST
