[Laszlo-user] passing the '&' character using setSrc

graphis1@mac.com graphis1 at mac.com
Fri Mar 31 12:28:30 EST 2006

How can I successfully encode and pass the '&' character from a  
textbox to my database using setSrc, whilst preventing sql attacks?

I have a method that sends data from a textbox like so:

<method event = "onclick" >
    thetext = LzBrowser.urlEscape(parent.editbox.getText());
    thedata.setSrc("http://localhost:3000/names/update/" + "id=" +  
myid + "&" + name + "=" + thetext );

I am using a Ruby controller on the backend that creates a hash of  
the parameters passed in the URL by splitting the URL at each '&'  
sign and submitting them to the database:

values = params['id'].split('&').map {|s| s.split('=', 2)}
attributes = Hash[*values.flatten]

This works well until a user tries to submit text containing the "&"  
character - it's encoded by urlEscape to %26, which appears to break  
the Ruby controller - doRequest fails. I've also tried using  
xmlEscape instead which encodes & to &amp; with similar consequences.

Am I going about passing the text information the right way, or is  
there a better one?

More information about the Laszlo-user mailing list