Hi,
Can anyone here point me at a definitive guide or tutorial about using
escape characters when building SQL queries from user entered data?
I'm especially interested in info on this in regard to Access databases and
(classic) ASP.
I've been writing ASP for just over a year now, and I've usually found very
comprehensive answers to other problems on one of the many excellent website
resources out there. The coverage of this particular issue seems to be
patchy at best though. Given the importance of this in regards to security
and making sure key features like search facilities work properly I'm
suprised it isn't covered very well. The solutions i've seen include
doubling apostrophes (which doesn't always seem to work), using [] brackets
within LIKE clauses (so how do you escape square brackets?), using
backslashes, using an ESCAPE keyword etc.
What I want to know is which solutions to use in which cases, and a full
list of characters to check for would be useful also.
Thanks
D.Jones 2 8536
Basic principles (except for DB-specific escape char) are the same
whatever the platform http://www.google.com/search?hl=en&i...L+injection%22 http://groups.google.com/groups?hl=e...=Google+Search
Tim.
"BTnews" <pa************ *******@btinter net.com> wrote in message
news:bv******** **@sparta.btint ernet.com... Hi,
Can anyone here point me at a definitive guide or tutorial about
using escape characters when building SQL queries from user entered data? I'm especially interested in info on this in regard to Access
databases and (classic) ASP.
I've been writing ASP for just over a year now, and I've usually
found very comprehensive answers to other problems on one of the many excellent
website resources out there. The coverage of this particular issue seems to
be patchy at best though. Given the importance of this in regards to
security and making sure key features like search facilities work properly
I'm suprised it isn't covered very well. The solutions i've seen include doubling apostrophes (which doesn't always seem to work), using []
brackets within LIKE clauses (so how do you escape square brackets?), using backslashes, using an ESCAPE keyword etc.
What I want to know is which solutions to use in which cases, and a
full list of characters to check for would be useful also.
Thanks
D.Jones
BTnews wrote: Hi,
Can anyone here point me at a definitive guide or tutorial about using escape characters when building SQL queries from user entered data? I'm especially interested in info on this in regard to Access databases and (classic) ASP.
I've been writing ASP for just over a year now, and I've usually found very comprehensive answers to other problems on one of the many excellent website resources out there. The coverage of this particular issue seems to be patchy at best though. Given the importance of this in regards to security and making sure key features like search facilities work properly I'm suprised it isn't covered very well. The solutions i've seen include doubling apostrophes (which doesn't always seem to work), using [] brackets within LIKE clauses (so how do you escape square brackets?), using backslashes, using an ESCAPE keyword etc.
What I want to know is which solutions to use in which cases, and a full list of characters to check for would be useful also.
Thanks
D.Jones
In both SQL and vbscript (VB/VBA), you escape characters by doubling them. I
have never seen a circumstance where this did not "seem to work". Perhaps
you could expand on this ...
Backslashes are used in jscript/javascript. I've never used a language that
used an ESCAPE keyword.
I have posted on this subject several times in the past, so instead of
writing about it again, here are some links: http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl http://www.google.com/groups?hl=en&l...r%3D%26hl%3Den http://tinyurl.com/jyy0 http://www.google.com/groups?hl=en&l...miter%2Bauthor
:Bob%2Bauthor:B arrows%26hl%3De n%26lr%3D%26ie% 3DUTF-8%26oe%3DUTF-8%26start%3D
10%26sa%3DN
HTH,
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM" This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Matthew Wieder |
last post by:
In my previous post, I asked about a routine which prepares a string for
an XPath query by taking care of escape characters.
Unable to find a list, I'm now wondering assumign I enclose the
attribute value in quotes in my XPath query, what other escape
characters need to be handled aside from a quotation mark? As I
understand it, an apostrophe wouldn't be a problem since I'm enclosing
the string in quotes.
thanks!
|
by: teachtiro |
last post by:
Hi,
'C' says \ is the escape character to be used when characters are
to be interpreted in an uncommon sense, e.g. \t usage in printf(),
but for printing % through printf(), i have read that %% should be used.
Wouldn't it have been better (from design perspective) if the same
escape character had been used in this case too.
Forgive me for posting without verfying things with any standard
compiler, i don't have the means for now.
|
by: Steve Litvack |
last post by:
Hello,
I have built an XMLDocument object instance and I get the following string
when I examine the InnerXml property:
<?xml version=\"1.0\"?><ROOT><UserData UserID=\"2282\"><Tag1
QID=\"55111\"><Tag2 AID=\"5511101\"></Tag2></Tag1><Tag1 QID=\"55112\"><Tag2
AID=\"5511217\"></Tag2></Tag1><Tag1 QID=\"5512282\"><Tag2
AID=\"551228206\"></Tag2></Tag1><Tag1 QID=\"55114\"><Tag2
AID=\"5511406\"></Tag2></Tag1><Tag1 QID=\"55115\"><Tag2
|
by: Guadala Harry |
last post by:
I need to place the following into a string... How can I properly escape the
% " / < and > characters?
<table width="100%" border="0" cellspacing="0" cellpadding="4px"
class="hfAll"></Table>
Thanks.
|
by: Jeff S |
last post by:
In a VB.NET code behind module, I build a string for a link that points to a
JavaScript function. The two lines of code below show what is relevant.
PopupLink = "javascript:PopUpWindow(" & Chr(34) & PopUpWindowTitle & Chr(34)
& ", " & Chr(34) & CurrentEventDetails & ")"
strTemp += "<BR><A HREF='#' onClick='" & PopupLink & "'>" & EventName &
"</A><BR>"
The problem I have is that when the string variables or
contain a string with an...
| |
by: Guadala Harry |
last post by:
I'd like to know the answer to the following question so I can know what to
expect with regard to other similar uses of escape characters and strings.
While everything works fine - I'd like to know specifically why:
I am building a simple HTML table in my C# code-behind by concatenating
strings that contain different parts of the table and table content...
something like this:
string myTable = "<table width=\"100%\" border=\"0\"...
|
by: Axel Dahmen |
last post by:
Hi,
within a DataGrid control I'm using a DataTable containing a string column
to fill a Hyperlink's href attribute. Unfortunately HttpUtility.UrlEncode()
doesn't escape the apostroph character, thus ruining some of my hrefs.
How do I correctly escape any character using a Page's current encoding (I
don't want to hard-code the encoding)?
TIA,
|
by: pkaeowic |
last post by:
I am having a problem with the "escape" character \e. This code is in my
Windows form KeyPress event. The compiler gives me "unrecognized escape
sequence" even though this is documented in MSDN. Any idea if this is a bug?
if (e.KeyChar == '\e')
{
this.Close();
}
|
by: Lawrence D'Oliveiro |
last post by:
The "escape" function in the "cgi" module escapes characters with special
meanings in HTML. The ones that need escaping are '<', '&' and '"'.
However, cgi.escape only escapes the quote character if you pass a second
argument of True (the default is False):
'the "quick" & <brown> fox'
'the "quick" & <brown> fox'
This seems to me to be dumb. The default option should be the safe one: that
is, escape _all_ the potentially troublesome...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |