By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,666 Members | 1,784 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,666 IT Pros & Developers. It's quick & easy.

Apostrophe Errors Out Form

P: n/a
Hello All,

Hope you can help.

Below is the code I use to send data from form to database.

Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.

mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestion)"

mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"
Jul 22 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
http://www.aspfaq.com/show.asp?id=2065

and
put this line at the end of your code
mySQL = Replace(mySQL,"'","''")
dave

"PinkBishop" <pi********@hotmail.com> wrote in message
news:6b********************************@4ax.com...
Hello All,

Hope you can help.

Below is the code I use to send data from form to database.

Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.

mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestio
n)"
mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"

Jul 22 '05 #2

P: n/a
PinkBishop wrote:
Hello All,

Hope you can help.

Below is the code I use to send data from form to database.
What database? This is always relevant. Always provide the type and version
of database you are using.

Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.

mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestion)"

mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"


Your problem is twofold: lack of data validation, and use of dynamic sql.

Passing data from the Request collection to your database without first
validating it is not only error-prone (as you have just discovered), it is
also an invitation to hackers. See:

http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Your best protection against hackers using SQL Injection is to avoid
building sql statements by concatenating data that was entered by users into
them (dynamic sql). Use parameters instead, either via stored
procedures/saved parameter queries (highly recommended):

Access -
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

SQL Server - http://tinyurl.com/jyy0

or, if you cannot utilize stored procedures for some reason, by using
parameter markers in the sql statement you create in your code, using a
Command object to execute it:

http://groups-beta.google.com/group/...e36562fee7804e

Again, regardless of which technique you choose to pass your parameters,
validate your data before passing it to te database. Make sure it is of the
proper datatype, handle any missing data, etc. Hackers can pass data to your
server-side page without using your form, so do not depend on client-side
validation.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.