Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > asp classic > answers

Validating in asp with access

Mats
Guest
  
Posts: n/a
#1: Jul 19 '05
It's good practice to validate input, not only where it should be coming
from, but from anywhere it's possible to change or add input for a
"client".
If all user input is transfered using "post" you can be pretty tough on
querystrings, if you use them at all.
But user input could have a name like Mc'Donald, and we would not like
quotes (wether single or double) in input to a database or an asp
script. Though I beleive more dangerous in SQL server there should be
(?) a danger with access as well. (The infamous SQL injection)
Anyone with some "input" in this matter?

Escape caracters? Haven't found any.
Changing the caracter "scriptwise"? Maybe

Mats


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Bob Barrows
Guest
  
Posts: n/a
#2: Jul 19 '05

re: Validating in asp with access

Mats wrote:[color=blue]
> It's good practice to validate input, not only where it should be
> coming from, but from anywhere it's possible to change or add input
> for a "client".
> If all user input is transfered using "post" you can be pretty tough
> on querystrings, if you use them at all.
> But user input could have a name like Mc'Donald, and we would not like
> quotes (wether single or double) in input to a database or an asp
> script. Though I beleive more dangerous in SQL server there should be
> (?) a danger with access as well. (The infamous SQL injection)
> Anyone with some "input" in this matter?
>
> Escape caracters? Haven't found any.
> Changing the caracter "scriptwise"? Maybe
>
> Mats
>[/color]
You double characters that need to be escaped:

sName = "O'Donald"
sName = Replace(sName, "'", "''")

The sName variable will now contain "O''Donald" (two apostrophes). When Jet
parses the query containing this string, it will interpret the two
consecutive apostrophes as a single quote.

This is how it is done in all forms of VB. If you need to create a string
containing a literal double quote, you do it by escaping the double quote:

sString = "9"" wrench"

It is also the way it is done in T-SQL when you get around to using SQL
Server.

Bob Barrows
Mats
Guest
  
Posts: n/a
#3: Jul 19 '05

re: Validating in asp with access

Thanks Bob.
Ok - I should have remembered the four dubbleqoutes you ned in order to
escape quotes in asp.
I'm surprised that something so important and problematic is hardly
discussed at all.
Could you direct me and others to a source of information in this
matter?
Mats


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Bob Barrows
Guest
  
Posts: n/a
#4: Jul 19 '05

re: Validating in asp with access

Mats wrote:[color=blue]
> Thanks Bob.
> Ok - I should have remembered the four dubbleqoutes you ned in order
> to escape quotes in asp.
> I'm surprised that something so important and problematic is hardly
> discussed at all.
> Could you direct me and others to a source of information in this
> matter?
> Mats
>[/color]
Most books on data access cover this. Bill Vaughn's "ADO Examples and Best
Practices" is a good one, despite being geared more to VB than ASP. Here's
something I posted a couple weeks ago that a couple people found helpful:

Here are the rules for delimiting data in dynamic sql strings, particularly
in the WHERE clause:
To decide whether or not to delimit the data, look at the datatype of the
FIELD BEING COMPARED TO - NOT THE DATA.

1. If it's a numeric field, you must supply it with numeric data, which
means you MUST NOT delimit the data by putting quotes around it.

2. If it's a character/text field, then you must supply string data by
delimiting the data either with single or double quotes. If the data
contains literal quotes, you must escape them by doubling them. This means
that if you use single quotes (apostrophes) for your string delimiters, and
the data contains an apostrophe, then you must replace the apostrophe with
two apostrophes, like this:
Update tbl set textfield = 'O''Malley'
In Access, you can use double quotes for your delimiters, so this will work
as well:
Update tbl set textfield = "O'Malley"
Note: you don't have to escape the apostrophe in O'Malley when you use
double quotes as the delimiter. However, you will need to escape the double
quotes when assigning this statement to a variable:
sSQL = "Update tbl set textfield = ""O'Malley"""
So most people will use the single quotes and escape the apostrophe:
sName = "O'Malley"
sSQL = "Update tbl set textfield = '" & Replace(sName,"'","''") & "'"
response.write sSQL

3. If it's a date/Time field, then the delimiters depend on the type of
database. Since you are using Access, then you must delimit the data with
hash marks (#). Additionally, you must supply the data in US format
(m/d/yyyy) or in ISO (yyyy-mm-dd), with the latter being the more
recommended.

4.Lastly, if you are using LIKE, you need to be aware that you must use %
and _ as the wildcards, not * and ?. This is true no matter what database
you are using

And then, when you think you have it right and it still does not work,
response.write it to see the result of your concatenation. If you've done it
correctly, you will have a statement that you can copy and paste from the
browser window into the SQL View of an Access Query Builder and run without
modification (unless you need to replace the wildcards with the Jet
wildcards).

This all seems rather difficult, doesn't it? Add to this the fact that a
dynamic sql query will not perform as well as a saved query/stored
procedure, and you have two strikes against it. Add the lack of security due
to leaving yourself open to a SQL Injection attack and you have three
strikes.

Let me show you how easy this can be using a saved parameter query. let's go
back to your statement and parameterize it* :

UPDATE tblListingspriceChanges SET NewPrice = [P1],
ChangeDate = [P2], [Name]=[P3], Original_Price=[P4]
WHERE PriceChangeID = [P5]

Do you notice ANY delimiters in the above sql statement? :-)
Test this statement in the Access Query Builder by running it: you will be
prompted to supply values for each of the parameters. Supply some values and
make sure it works as intended. When you've finished debugging it, save it
as qUpdPriceChange. Notice that you've created and debugged your query in
the environment where debugging and testing of queries should be done: in
the database environment.

Now to run it in ASP:
'create and open a connection object, cn, populate and
'validate your data variables, then:
cn.qUpdPriceChange NewPrice, ChangeDate, Name, _
Original_Price, PriceChangeI

If you are running a query that returns records, you can still use this
syntax, by supplying a recordset variable as an extra argument:

set rs = server.createobject("adodb.recordset")
cn.QueryName parm1,...parmN, rs


HTH,
Bob Barrows
Closed Thread

« previous question | next question »

Similar ASP / Active Server Pages bytes

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,295 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved