BTnews wrote:[color=blue]
> Hi,
>
> Can anyone here point me at a definitive guide or tutorial about using
> escape characters when building SQL queries from user entered data?
> I'm especially interested in info on this in regard to Access
> databases and (classic) ASP.
>
> I've been writing ASP for just over a year now, and I've usually
> found very comprehensive answers to other problems on one of the many
> excellent website resources out there. The coverage of this
> particular issue seems to be patchy at best though. Given the
> importance of this in regards to security and making sure key
> features like search facilities work properly I'm suprised it isn't
> covered very well. The solutions i've seen include doubling
> apostrophes (which doesn't always seem to work), using [] brackets
> within LIKE clauses (so how do you escape square brackets?), using
> backslashes, using an ESCAPE keyword etc.
>
> What I want to know is which solutions to use in which cases, and a
> full list of characters to check for would be useful also.
>
> Thanks
>
> D.Jones[/color]
In both SQL and vbscript (
VB/VBA), you escape characters by doubling them. I
have never seen a circumstance where this did not "seem to work". Perhaps
you could expand on this ...
Backslashes are used in jscript/javascript. I've never used a language that
used an ESCAPE keyword.
I have posted on this subject several times in the past, so instead of
writing about it again, here are some links:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl http://www.google.com/groups?hl=en&l...r%3D%26hl%3Den http://tinyurl.com/jyy0 http://www.google.com/groups?hl=en&l...miter%2Bauthor
:Bob%2Bauthor:Barrows%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D
10%26sa%3DN
HTH,
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Escape characters 
