Quotes in Query Statement

I'm having problems updating a text field in a MySQL (4.0.12) database. I'm
taking user input from a textarea field on an HTML form and attempting to
update a Text field within the database. The CGI script works fine with
regular text but when special characters are entered I get a Server 500
error on the post operation. Here's the PERL snippet that builds the query.

my $query="Update formtable
Set textarea1='$formvalue'
Where formid=1";

When I was running the query like the above it really didn't like the ' and
" characters (at least those are the two I found, there may be more) when
entered in the textarea so I modified the query statement to look like this:

my $query=qq(
Update formtable
Set textarea1=\"$formvalue\"
Where formid=1
);

This fixed the problem for ticks and single-quotes but not the
double-quote. If a " is entered, the CGI errors. How do I best deal with
this type of scenario (hopefully without searching for and replacing these
characters before the query $formvalue=~s/\"//g; ) I guess what I'm asking
is how to I properly escape the variable to no matter what the user enters,
it gets passed straight thru to the text field in the database without error.

Any advice is greatly appreciated.

~Mike



------------------------------------------------------------ --
Mike Garner
Western State College
Email: mgarner@western.edu
Voice: 970-943-3123
Fax: 970-943-7069


--
MySQL Perl Mailing List
For list archives: http://lists.mysql.com/perl
To unsubscribe: http://lists.mysql.com/perl?unsub=gcdmp-msql-mysql-modules@m .gmane.org