On Mon, Nov 30, 2009 at 2:37 PM, inhahe <inh...@gmail.com> wrote:
> On Mon, Nov 30, 2009 at 1:21 PM, Victor Subervi <victorsube...@gmail.com>
> wrote:
> > On Mon, Nov 30, 2009 at 2:00 PM, inhahe <inh...@gmail.com> wrote:
> >>
> >> On Mon, Nov 30, 2009 at 12:58 PM, inhahe <inh...@gmail.com> wrote:
> >> > On Mon, Nov 30, 2009 at 12:49 PM, Victor Subervi
> >> > <victorsube...@gmail.com> wrote:
> >> >>
> >> >>
> >> >> If I'm not mistaken, that won't help me actually print to screen the
> >> >> user's
> >> >> choices as he selects them, which in my application, is important.
> >> >> Please
> >> >> advise.
> >> >> TIA,
> >> >> V
> >> >
> >> >
> >> > sure, that's where this part comes in:
> >> >
> >> > the javascript would populate the list for the colors the user selects
> >> > (the easiest way would probably be to give the list an id and use
> >> > getElementByID())
> >> >
> >> > so basically you'd define, e.g., an onClick="blah('red'); return true"
> >> > within the red element's tag, and then define a function blah(x) that
> >> > says
> >> > getElementById("my_list_id").innerHtml += "<br>" + x;
> >> > and of course give your list textarea an id="my_list_id" attribute in
> >> > the tag.
> >> >
> >> > that could be slightly wrong, my javascript's rusty
> >> >
> >>
> >> also don't forget to sanitize the data you receive before committing
> >> it to the database, or someone can hack the javascript and send an SQL
> >> injection attack
> >
> > Good call! However, in my case I can put this all behind a firewall. It's
> > only for the shop builder's use, and that's my client...whom I can track!
> > But I presume this would entail doing searches for and eliminating all
> > unnecessary characters, right?
> > V
> >
>
> depends on if you're using python or php on the server side
> if you're using Python, just use parameterized sql, which completely
> avoids the issue of sql injection
> if you're using php, parameterized sql is kind of pain in the ass, but
> it includes a function for sanitizing strings so you don't have to
> make one yourself.
> if i remember correctly though, my friend and i had issues with that
> function, for example ' would be saved as \' in our database, or
> something like that
> i'm not sure which characters you need to eliminate to sanitize sql
> parameters.. i wouldn't be comfortable relying on my own function to
> do that without thoroughly researching the issue... and i'd probably
> just rather find a function that's already been written
>
Yeah, parameterize it. PHP?! Wash your mouth out with soap!
;)
V
--
http://mail.python.org/mailman/listinfo/python-list
