[erlang-questions] Special Characters problem

Daniel Luna daniel@REDACTED
Thu Jan 3 16:20:55 CET 2013


On 2 January 2013 06:35, Vlad Dumitrescu <vladdu55@REDACTED> wrote:
> On Wed, Jan 2, 2013 at 12:26 PM, Evren Bayraktar <evrenweb@REDACTED> wrote:
>> lists:flatten(io_lib:format("from=~s&to=~s&message=~s&status=~b&time_create=~b",
>> [FromS, ToS, BodyS, Status, unix_timestamp()
>
>
> I would guess that the message's body (and maybe even the other strings)
> should be escaped or quoted (by using ~w instead of ~s), probably the parser
> for the resulting string can't handle the spaces and the '>'.
>
> You should in any case sanitize the input, otherwise you will have problems
> with code injection, imagine a message saying
> "Hello&status=closed&time_create=..." (or worse).

Exactly what Vlad is saying.  The correct solution is:

io_lib:format("from=~s&to=~s&message=~s&status=~b&time_create=~b",
[url_encode(FromS), url_encode(ToS), url_encode(BodyS), Status,
unix_timestamp()])

and FYI, in most cases you don't have to flatten the resulting list
from io_lib:format.  If you are writing the data to a port or a file,
the driver will take care of that in a more efficient way.

Cheers,

Daniel



More information about the erlang-questions mailing list