[Mono-list] magic quotes (like PHP)
James Grant
topace@lightbox.org
Tue, 12 Apr 2005 09:22:51 -0400
Answers below:
On Friday 08 April 2005 3:25 pm, A Rafael D Teixeira wrote:
> On Thu, 2005-04-07 at 12:06 -0400, James Grant wrote:
> > Hi there,
>
> Hi James,
>
> > I'm running into an issue with an application that has been ported over
> > from windows to linux/mono. On windows, you could enter apostrophe's in
> > input boxes which are then stored in the database without any problems,
> > but on mono it seems that the apostrophe's all need to be manually
> > escaped on every query.
>
> You are mixing things: that is surely note a windows x mono issue.
> Quotes in general aren't changed in any form by input boxes, or string
> handling. What may possibly mess with them is the ADO.NET provider when
> writing the string to the database, as it may have to escape the quotes
> as needed, and the particular one you are using may not be doing that
> correctly. Or you may be fooling it by hand-constructing SQL commands or
> setting incorrect parameter definitions.
>
> First answer these:
>
> To what database are you connecting? What ADO.NET provider are you
> using, in Windows with .NET and elsewhere with Mono? Are you using
> correctly parameterized queries?
On Windows, I am unsure what it was using (I wasnt involved with it when it
was running on windows).
On linux, I am using Postgres with the Npgsql driver.
As for "correctly parameterized queries" I have no clue... here is a chunk
of code that inserts a record using the stored procedure.
string request;
int nReturn;
request = "public.\"InsertSchool\"( '" +
Name.Replace("'","\\'") + "', '" +
Address1.Replace("'","\\'") + "', '" +
Address2.Replace("'","\\'") + "', '" +
City.Replace("'","\\'") + "', '" +
Province.Replace("'","\\'") + "', '" +
PostalCode.Replace("'","\\'") + "', '" +
Country.Replace("'","\\'") + "', '" +
OfficePhone.Replace("'","\\'") + "', '" +
OfficeFax.Replace("'","\\'") + "', '" +
ContactTitle.Replace("'","\\'") + "', '" +
ContactSalutation.Replace("'","\\'") + "', '"
+
ContactFirstName.Replace("'","\\'") + "', '" +
ContactLastName.Replace("'","\\'") + "', '" +
ContactPhone.Replace("'","\\'") + "', '" +
ContactEmail.Replace("'","\\'") + "'");";
NpgsqlConnection npgsqlConnection = new
NpgsqlConnection(cstr);
NpgsqlCommand command = new NpgsqlCommand(request,
npgsqlConnection);
command.CommandType = CommandType.StoredProcedure;
npgsqlConnection.Open();
try
{
Object result=command.ExecuteScalar();
nReturn = Int32.Parse(result.ToString());
}
If I do not Replace("'","\\'") everything, as soon as there is an apostrophe
(single quote) the SQL fails.
> Answering that we can find the real culprit for mishandling the
> quotation marks.
>
> > I know PHP has an option for "magic quotes"
> > http://ca.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime
> > and was wondering if mono had a similar configuration option?
>
> No need for such a hack...
Indeed, it does seem like a bit of a hack... but I bet its useful in some
cases for lazy programmers :)
Cheers,
James
>
> _______________________________________________
> Mono-list maillist - Mono-list@lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
--
James Grant
Lightbox Technologies Inc.
http://www.lightbox.org
613-294-3670