I need help with the cgi order form page at my website
www.greenbarley.com.
When someone uses quotation marks (") in a field, all information
following the quote symbol is lost when the form is submitted.  Is
there a way to allow quotes and avoid this problem?

Dear greenbarley:

Thanks for your question. The quotation marks in Perl are used to
delimit a string, so if a user enters that in a form, it confuses the
script. Although I'm not familiar with Perl, I am familiar with Java
and C++, and sometimes I encounter similar problems in my
applications.

The simplest way to fix this problem is to have your script append the
backslash character '\' before the occurence of the quotation marks in
the input. I'm not sure how you would do this in Perl, but in C++ or
Java it's very easy.

"The double quotation mark inside the body tag would normally confuse
the Perl program because double quotation marks are used to contain a
statement or string. So the double quotation marks need to be escaped
with a backslash so that the Perl program won't see them as it would
normally see a double quotation mark, which would mark the beginning
or the end of a statement in this case. In a double-quoted string,
there are four characters that have special meaning: $, @, \, and the
quote " itself. These need to be escaped (protected) with a backslash
if you want to prevent the special meaning from taking effect."

Source: Webdesign1.com
[ http://www.webdesigns1.com/perl/tutorial.html ]

I hope this helps. If you need help on how to do this, or if this did
not fix the problem, please ask for a clarification. I would be more
than happy to conduct further research for you.

Best Regards,
blader-ga

---

Clarification of Answer by blader-ga on 09 Jun 2002 22:42 PDT

Dear greenbarley:

You may also find the following website helpful:

"Designing Forms"
[ http://teachx.rutgers.edu/tec/workshops/forms.html ]

Of particular interest to you in that page:

replace=fieldname/item1/item2/
Fieldname indicates which field in the form the replace command should
work with. An asterisk signifies all fields. The command will then
find item1 and replace it with item2. In the example above, the
replace command checks all the fields for a double-quote, and replaces
it with a single-quote. Another useful command is replace=*/\n/ /
which will look for a "new line" character (Return or Enter) and
replace it with a space.

[ http://teachx.rutgers.edu/tec/workshops/forms.html ]

So, to replace all quotation mark with a escaped quotation mark
character, you would use the following code in Perl:

             replace=*/"/\"/


I hope this helps!

Best Regards,
blader-ga

---

Clarification of Answer by blader-ga on 10 Jun 2002 21:22 PDT

Dear greenbarley:

You asked for a way to allow quotes and avoid this problem, and I
explained why you have this problem and a possible way to fix it. I
also mentioned that I would be more than happy to tell you how to do
this if asked for a clarification, or do more research for you if the
method I described did not help, but you did not give me a chance to
do so. It's difficult to debug Perl code without seeing any of the
code. The clarification gave the Perl code to replace quotation marks
with an escaped quotation mark, which is exactly what would fix your
problem. I'm sorry that you were not satisfied for the answer. You may
go to this page for a refund:

[ https://answers.google.com/answers/main?cmd=refundrequest ]

Best Regards,
blader-ga

The answer did not tell me anything I did not already know. I already
knew what the problem was, I was wanting a solution, which the
researcher did not provide. Also, the clarification was totally
unrelated to my problem. My question was eventually answered not by
the researcher, but by another user (iaint-ga). Please refund the $10
to my credit card ASAP.

The processing of regular expressions (which are used for
investigating the contents of and making alterations to strings) are
at the very heart of Perl. String delimiters are either single-quotes
(') for non-interpolated strings, double-quotes (") for interpolated
strings, or possibly any other character using the q or qq operators.

What the above all means is that it's very easy to deal with the
problem, although without being able to see the source code behind
your CGI script I can't give you a full "cut and paste" solution.
However the following should give you roughly what you require.

The basic syntax for "escaping" all double-quote characters in a
string would be:

$string =~ s/"/\\"/g

This breaks down as follows:

$string          -- the variable you are working on
=~               -- perform a regular expression
s/               -- which is a substitution
"                -- we want to find all " characters
/                -- and replace them with
\\"              -- \" ... note that it's necessary to escape the
backslash within the s/// construct
/g               -- the g on the end means "do this for *every*
occurrence of a double-quote in this string"

Your HTML form variables are probably being returned to your CGI
script as either a regular array or a hash, in which case the
following loops would perform the above operation on ALL variables.

# If form vars are in an array called @formdata
foreach ( @formdata } {
  s/"/\\"/g;
}

# If form vars are in a hash called %formdata
foreach ( keys %formdata ) {
  $formdata{$_} =~ s/"/\\"/g;
}

I hope the above gives you sufficient information to modify the Perl
code to meet your requirements.

Hi, thanks for the good information.  I have tried to incorporate this
into my form but I still cannot get it to work.  The actual order form
is submitted by the customer, and a confirmation page is shown with
all form details - quote marks and all info show up fine on this page.
 The submit button is clicked again and the order is emailed to myself
and a confirmation email is sent to the customer.  The quotes and
everything after do not show up in the emails.  Please contact me at
darren@greenbarley.com and I will send you a copy of the actual code.

If you have two different scripts, you'll need to escape the quotes in
both places. You're probably doing this already, but that would be the
first thing I check.

Are you HTML-escaping the quotes for display on the confirmation page?
It's possible the browser is interpreting the quotes as element
delimiters and actually transmitting the wrong stuff back to you from
the confirmation page.
(The regexp for HTML-escaping a double quote is  $string =~
s/\"/"/; )

My approach to debug this would be to print out the contents of one of
your form variables to a log file, and walk through the process of
submitting the order form and confirmation form while looking at this
output (the idea is to narrow down exactly what is being output by the
script, because there are two likely possibilities for the source of
your bug - either the script is feeding bad values into the
confirmation page, or the browser is interpreting the page badly and
giving you the bad input to the confirmation page.  Other
possibilities include interactions with your mailer software - you
didn't mention how you were sending mail from perl).  The problem may
turn up somewhere you weren't expecting.  Good luck.

Thanks people - I've sorted it out!

Never never NEVER code your own CGI input processing - If your'e
having trouble decoding quote marks, how will you prevent this?
http://yoursite/your.cgi?q=whatever&\x255\x132\x234\x34"';echo\%20/etc/passwd??

the answer: 
use CGI;

this module does everything for you, including preventing errors that
you havn't even dreamt could occur. This would automatically
encode/decode all input for you and solve your problem in roughly 8
keystrokes.
NEVER roll your own!

SMiTZ