Skip to content

Data isn't saved if user input contains quotes #13

@radumas

Description

@radumas

Discovered this with some feedback from a fork of this. From mentalhealthawhereness/map#1

I tried inserting a note that read I'm here... and the console revealed an error message

POST https://anditabinas.carto.com/api/v2/sql 400 (Bad Request)
(index):206 Problem saving the data

The sql that is being generated here is something like `SELECT insert_data('I'm here');' The issue is in where the sql string to get passed to the Carto sql API is being generated by simple string manipulation https://github.com/mentalhealthawhereness/map/blob/master/index.html#L199-210

A simple fix would be to replace any single-quote with the Postgresql-friendly doubled single quote SELECT insert_data('I''m here'); (see ex below) but I wonder if there's a.... better way of solving more cases of user-input that could break this. So I asked on StackOverflow

sanitized_input = user_input.replace("'", "''")

Metadata

Metadata

Assignees

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions