Hello All,
Hope you can help.
Below is the code I use to send data from form to database.
Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.
mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestion)"
mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"
2  3198  http://www.aspfaq.com/show.asp?id=2065
and
put this line at the end of your code
mySQL = Replace(mySQL,"'","''")
dave
"PinkBishop" <pi********@hotmail.com> wrote in message
news:6b********************************@4ax.com... Hello All,
Hope you can help.
Below is the code I use to send data from form to database.
Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.
mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestio
n)"
mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"
PinkBishop wrote: Hello All,
Hope you can help.
Below is the code I use to send data from form to database.
What database? This is always relevant. Always provide the type and version
of database you are using.
Problem is if an apostrophe is entered in cQuestion field or any field
for that matter the form errors out. Please Help.
mySQL= mySQL &
"(cEmail,cFirst,cLast,cStreet,cCity,cState,cZip,cH omePh,cBusPh,cFax,cQuestion)"
mySQL= mySQL & "VALUES ('" & Request.Form("cEmail") & "','"
mySQL= mySQL & Request.Form("cFirst") & "'"
mySQL= mySQL & ",'" & Request.Form("cLast") & "'"
mySQL= mySQL & ",'" & Request.Form("cStreet") & "','"
mySQL= mySQL & Request.Form("cCity") & "','"
mySQL= mySQL & Request.Form("cState") & "','"
mySQL= mySQL & Request.Form("cZip") & "','"
mySQL= mySQL & Request.Form("cHomePh") & "','"
mySQL= mySQL & Request.Form("cBusPh") & "','"
mySQL= mySQL & Request.Form("cFax") & "','"
mySQL= mySQL & Request.Form("cQuestion") & "')"
Your problem is twofold: lack of data validation, and use of dynamic sql.
Passing data from the Request collection to your database without first
validating it is not only error-prone (as you have just discovered), it is
also an invitation to hackers. See: http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23 http://www.nextgenss.com/papers/adva..._injection.pdf http://www.nextgenss.com/papers/more..._injection.pdf
Your best protection against hackers using SQL Injection is to avoid
building sql statements by concatenating data that was entered by users into
them (dynamic sql). Use parameters instead, either via stored
procedures/saved parameter queries (highly recommended):
Access - http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
SQL Server - http://tinyurl.com/jyy0
or, if you cannot utilize stored procedures for some reason, by using
parameter markers in the sql statement you create in your code, using a
Command object to execute it: http://groups-beta.google.com/group/...e36562fee7804e
Again, regardless of which technique you choose to pass your parameters,
validate your data before passing it to te database. Make sure it is of the
proper datatype, handle any missing data, etc. Hackers can pass data to your
server-side page without using your form, so do not depend on client-side
validation.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM" This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: S. Rhodes |
last post by:
Hello everyone.
I am TOTALLY baffled. PLEASE, I need some help here.
In the event that one must deal with a name including an apostrophe...I am
looking for an appropriate solution.
The...
|
by: Michael Sterling |
last post by:
i'm using delphi 7 and have a query in which i'm trying to find names
that have an apostrophe in them, i.e. "o'mally". my problem is that
when i write my select statement i can't get the quotes...
|
by: Richard Hollenbeck |
last post by:
To prevent future apostrophe bugs and errors, isn't it just simpler to
forbid an apostrophe from being entered into a text field? For example,
couldn't "Alice's Restaurant" be changed to "Alices...
|
by: Trevor |
last post by:
Hi,
I currently have the following code in a subform.
If Not rstPDAddresses.EOF And Not rstPDAddresses.BOF Then
With rstPDAddresses
txtautoAddressID.ControlSource = "='" & Nz(!autoAddressID,...
|
by: karen987 |
last post by:
I have an ASP news page to which you can add comments. The comments open up in a new window, and users can click reply to reply to them after which they are taken to the parent page which has a...
| | |
by: Johnny BeGood |
last post by:
Hi All,
When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
Syntax error (missing operator) in
query expression ''didn't',
Whats...
|
by: caltucker |
last post by:
I have an email form for an organization with an apostrophe in their title: LA's BEST. Their name is part of the standard email greeting. For example, Hello from LA's BEST.
My problem is that...
|
by: Razzbar |
last post by:
I'm working on a bookmarklet that grabs information from a page and
submits it to a server. Yet another social bookmarking application.
I'm having trouble with page titles that include an...
|
by: Path9898 |
last post by:
greetings.
I am having an issue with a piece of code, I was hoping someone can show me where I am going wrong. Basically I select 9 rows of data out of a table that have the same item number, but...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
