Data isn't saved if user input contains quotes #13
Description
Discovered this with some feedback from a fork of this. From mentalhealthawhereness/map#1
I tried inserting a note that read
I'm here...and the console revealed an error messagePOST https://anditabinas.carto.com/api/v2/sql 400 (Bad Request) (index):206 Problem saving the dataThe sql that is being generated here is something like `SELECT insert_data('I'm here');' The issue is in where the sql string to get passed to the Carto sql API is being generated by simple string manipulation https://github.com/mentalhealthawhereness/map/blob/master/index.html#L199-210
A simple fix would be to replace any single-quote with the Postgresql-friendly doubled single quote
SELECT insert_data('I''m here');(see ex below) but I wonder if there's a.... better way of solving more cases of user-input that could break this. So I asked on StackOverflowsanitized_input = user_input.replace("'", "''")