Completely OT

inhahe inhahe at gmail.com
Mon Nov 30 19:37:22 CET 2009


On Mon, Nov 30, 2009 at 1:21 PM, Victor Subervi <victorsubervi at gmail.com> wrote:
> On Mon, Nov 30, 2009 at 2:00 PM, inhahe <inhahe at gmail.com> wrote:
>>
>> On Mon, Nov 30, 2009 at 12:58 PM, inhahe <inhahe at gmail.com> wrote:
>> > On Mon, Nov 30, 2009 at 12:49 PM, Victor Subervi
>> > <victorsubervi at gmail.com> wrote:
>> >>
>> >>
>> >> If I'm not mistaken, that won't help me actually print to screen the
>> >> user's
>> >> choices as he selects them, which in my application, is important.
>> >> Please
>> >> advise.
>> >> TIA,
>> >> V
>> >
>> >
>> > sure, that's where this part comes in:
>> >
>> > the javascript would populate the list for the colors the user selects
>> > (the easiest way would probably be to give the list an id and use
>> > getElementByID())
>> >
>> > so basically you'd define, e.g., an onClick="blah('red'); return true"
>> > within the red element's tag, and then define a function blah(x) that
>> > says
>> > getElementById("my_list_id").innerHtml += "<br>" + x;
>> > and of course give your list textarea an id="my_list_id" attribute in
>> > the tag.
>> >
>> > that could be slightly wrong, my javascript's rusty
>> >
>>
>> also don't forget to sanitize the data you receive before committing
>> it to the database, or someone can hack the javascript and send an SQL
>> injection attack
>
> Good call! However, in my case I can put this all behind a firewall. It's
> only for the shop builder's use, and that's my client...whom I can track!
> But I presume this would entail doing searches for and eliminating all
> unnecessary characters, right?
> V
>

depends on if you're using python or php  on the server side
if you're using Python, just use parameterized sql, which completely
avoids the issue of sql injection
if you're using php, parameterized sql is kind of pain in the ass, but
it includes a function for sanitizing strings so you don't have to
make one yourself.
if i remember correctly though, my friend and i had issues with that
function, for example ' would be saved as \' in our database, or
something like that
i'm not sure which characters you need to eliminate to sanitize sql
parameters.. i wouldn't be comfortable relying on my own function to
do that without thoroughly researching the issue... and i'd probably
just rather find a function that's already been written



More information about the Python-list mailing list