473,473 Members | 1,891 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Trapping Single Quotation Mark

M P
Hi!

I am looking for a way that I can trap the single quotation mark. If an
encoder uses single quotation mark on a textbox field, it always give me an
error because I use single quotes on the SQL statement. Can you help trap
this character not to produce error?

Me
Nov 24 '05 #1
9 2924
M P wrote on 24 nov 2005 in microsoft.public.inetserver.asp.general:
I am looking for a way that I can trap the single quotation mark. If
an encoder uses single quotation mark on a textbox field, it always
give me an error because I use single quotes on the SQL statement. Can
you help trap this character not to produce error?


t = replace(t, "'","`")

btw, the single quote/apostrophe won't ALWAYS give you an error.
Not when used by a hacker to gain entry to your server.

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

Nov 24 '05 #2
M P wrote:
Hi!

I am looking for a way that I can trap the single quotation mark. If
an encoder uses single quotation mark on a textbox field, it always
give me an error because I use single quotes on the SQL statement.
Can you help trap this character not to produce error?

Me

The (to me) simple answer is to stop using dynamic sql and start using
parameters.
Either via saved parameter queries (Access):
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://groups.google.com/groups?hl=e...tngp13.phx.gbl

http://groups-beta.google.com/group/...d322b882a604bd

Stored procedures (SQL Server):
http://tinyurl.com/jyy0

or, if you can't bring yourself to try either of the above, via an explicit
Command object used to pass parameters to a string containing ODBC parameter
markers:
http://groups-beta.google.com/group/...e36562fee7804e

The explanation for Evertjian's "hackers" remark can be found here:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Nov 24 '05 #3

"M P" <ma**@textguru.ph> wrote in message
news:ed*************@TK2MSFTNGP11.phx.gbl...
Hi!

I am looking for a way that I can trap the single quotation mark. If an
encoder uses single quotation mark on a textbox field, it always give me an error because I use single quotes on the SQL statement. Can you help trap
this character not to produce error?


Two general rules of thumb:

* Test for what is allowed rather than what is not allowed.
* Use parameterized SQL.

Walk the string, character by character, testing for allowed characters. For
example:

Function IsGoodString(ByVal str)
Const strGoodChars = "abcdABCD0123" ' Allowed chars
Dim C
Dim I
IsGoodString = True
For I = 1 To Len(str)
C = Mid(str, I, 1)
If (InStr(strGoodChars, C) = 0) Then ' Not found
IsGoodString = False
Exit For
End If
Next
End Function

Here is a brief white paper on securing ASP pages that you might find
interesting:

http://www.ngssoftware.com/papers/asp.pdf

One thing you will soon notice is that embedded quotes are only the
beginning of the problem. A good general purpose solution is to use
parameterized SQL. You will also find that white paper contains links to
other white papers of interest. A lot has been written on the subject of SQL
injection and how to prevent such attacks.

If, after reading that white paper, you still do not want to use
parameterized SQL you can "escape" delimiting characters (such as single
quotes) by using the Replace function:

strNewString = Replace(strOldString, "'", "''")

Nov 24 '05 #4
>> Walk the string, character by character,
Yuk!

Wouldn't regular expressions be a skosh more efficient?

Bob Lehmann

"MyndPhlyp" <no****@homeright.now> wrote in message
news:ux**************@TK2MSFTNGP11.phx.gbl...

"M P" <ma**@textguru.ph> wrote in message
news:ed*************@TK2MSFTNGP11.phx.gbl...
Hi!

I am looking for a way that I can trap the single quotation mark. If an
encoder uses single quotation mark on a textbox field, it always give me an
error because I use single quotes on the SQL statement. Can you help trap this character not to produce error?


Two general rules of thumb:

* Test for what is allowed rather than what is not allowed.
* Use parameterized SQL.

Walk the string, character by character, testing for allowed characters.

For example:

Function IsGoodString(ByVal str)
Const strGoodChars = "abcdABCD0123" ' Allowed chars
Dim C
Dim I
IsGoodString = True
For I = 1 To Len(str)
C = Mid(str, I, 1)
If (InStr(strGoodChars, C) = 0) Then ' Not found
IsGoodString = False
Exit For
End If
Next
End Function

Here is a brief white paper on securing ASP pages that you might find
interesting:

http://www.ngssoftware.com/papers/asp.pdf

One thing you will soon notice is that embedded quotes are only the
beginning of the problem. A good general purpose solution is to use
parameterized SQL. You will also find that white paper contains links to
other white papers of interest. A lot has been written on the subject of SQL injection and how to prevent such attacks.

If, after reading that white paper, you still do not want to use
parameterized SQL you can "escape" delimiting characters (such as single
quotes) by using the Replace function:

strNewString = Replace(strOldString, "'", "''")

Nov 24 '05 #5
MyndPhlyp wrote on 24 nov 2005 in microsoft.public.inetserver.asp.general:
Function IsGoodString(ByVal str)
Const strGoodChars = "abcdABCD0123" ' Allowed chars
Dim C
Dim I
IsGoodString = True
For I = 1 To Len(str)
C = Mid(str, I, 1)
If (InStr(strGoodChars, C) = 0) Then ' Not found
IsGoodString = False
Exit For
End If
Next
End Function


<script language=jscript runat=server>
function IsGoodString(str){
return !/[^abcd0123]/i.test(str)
}
</script>

Testing:<br>

<%
response.write IsGoodString("Abba")
response.write "<br>"
response.write IsGoodString("Zoef")
%>

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

Nov 24 '05 #6

"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:uQ**************@tk2msftngp13.phx.gbl...
Walk the string, character by character,

Yuk!

Wouldn't regular expressions be a skosh more efficient?


Eh. It is all a matter of personal style. They both accomplish the same
task. Depending on your myndset one method is more easily recognized than
the other. The difference in overhead is going to be negligible. I tend to
fall back to really old school methods since it can be recognized by
virtually all levels of programming experience. Besides, it is just an
example and I prefer to leave the art of computer programming and
efficiencies/inefficiencies to Donald E. Knuth
http://www-cs-faculty.stanford.edu/~knuth/.

(Hey - he finally got Volume 4 published!)
Nov 24 '05 #7
>>They both accomplish the same task.
Depending on your myndset one method
is more easily recognized than the other.
So, given the task of moving several tons of rocks, you would suggest using
a wheelbarrow, since it is easier to understand, and use, than a front-end
loader?

VB(Script) is notorious for inefficient string handling. I expect that on a
string of even 200+ bytes there would be a significant, noticable difference
between your method and a regular expression.

Bob Lehmann

"MyndPhlyp" <no****@homeright.now> wrote in message
news:ui**************@TK2MSFTNGP10.phx.gbl...

"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:uQ**************@tk2msftngp13.phx.gbl...> Walk the string, character by character,

Yuk!

Wouldn't regular expressions be a skosh more efficient?


Eh. It is all a matter of personal style. They both accomplish the same
task. Depending on your myndset one method is more easily recognized than
the other. The difference in overhead is going to be negligible. I tend to
fall back to really old school methods since it can be recognized by
virtually all levels of programming experience. Besides, it is just an
example and I prefer to leave the art of computer programming and
efficiencies/inefficiencies to Donald E. Knuth
http://www-cs-faculty.stanford.edu/~knuth/.

(Hey - he finally got Volume 4 published!)

Nov 25 '05 #8
bla blah blah
"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:Oy**************@tk2msftngp13.phx.gbl...
They both accomplish the same task.
Depending on your myndset one method
is more easily recognized than the other.


So, given the task of moving several tons of rocks, you would suggest
using
a wheelbarrow, since it is easier to understand, and use, than a front-end
loader?

VB(Script) is notorious for inefficient string handling. I expect that on
a
string of even 200+ bytes there would be a significant, noticable
difference
between your method and a regular expression.

Bob Lehmann

"MyndPhlyp" <no****@homeright.now> wrote in message
news:ui**************@TK2MSFTNGP10.phx.gbl...

"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:uQ**************@tk2msftngp13.phx.gbl...
> >> Walk the string, character by character,
> Yuk!
>
> Wouldn't regular expressions be a skosh more efficient?


Eh. It is all a matter of personal style. They both accomplish the same
task. Depending on your myndset one method is more easily recognized than
the other. The difference in overhead is going to be negligible. I tend
to
fall back to really old school methods since it can be recognized by
virtually all levels of programming experience. Besides, it is just an
example and I prefer to leave the art of computer programming and
efficiencies/inefficiencies to Donald E. Knuth
http://www-cs-faculty.stanford.edu/~knuth/.

(Hey - he finally got Volume 4 published!)


Dec 5 '05 #9
My, aren't you a clever one!

It is also impressive how willing you are to put your ignorance on public
display.

Keep up the good work!

Bob Lehmann

"Larry Randolf" <la*********@hotmail.com> wrote in message
news:uX****************@TK2MSFTNGP14.phx.gbl...
bla blah blah
"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:Oy**************@tk2msftngp13.phx.gbl...
They both accomplish the same task.
Depending on your myndset one method
is more easily recognized than the other.


So, given the task of moving several tons of rocks, you would suggest
using
a wheelbarrow, since it is easier to understand, and use, than a front-end loader?

VB(Script) is notorious for inefficient string handling. I expect that on a
string of even 200+ bytes there would be a significant, noticable
difference
between your method and a regular expression.

Bob Lehmann

"MyndPhlyp" <no****@homeright.now> wrote in message
news:ui**************@TK2MSFTNGP10.phx.gbl...

"Bob Lehmann" <no****@dontbotherme.zzz> wrote in message
news:uQ**************@tk2msftngp13.phx.gbl...
> >> Walk the string, character by character,
> Yuk!
>
> Wouldn't regular expressions be a skosh more efficient?

Eh. It is all a matter of personal style. They both accomplish the same
task. Depending on your myndset one method is more easily recognized than the other. The difference in overhead is going to be negligible. I tend
to
fall back to really old school methods since it can be recognized by
virtually all levels of programming experience. Besides, it is just an
example and I prefer to leave the art of computer programming and
efficiencies/inefficiencies to Donald E. Knuth
http://www-cs-faculty.stanford.edu/~knuth/.

(Hey - he finally got Volume 4 published!)



Dec 6 '05 #10
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
Right single quotation mark errors
by: Robert Garrett | last post by:
Hi, I've created a table in SQL Server 2000 and I'm now trying to search through the data and return specific rows. I'm using this command: select * from Export where libelle_court='Recherche...
Latest Bytes
63
<q> and language-specific quotation marks
by: Tristan Miller | last post by:
Greetings. Do any popular browsers correctly support <q>, at least for Western languages? I've noticed that Mozilla uses the standard English double-quote character, ", regardless of the lang...
Latest Bytes
4
Double quotation mark within a URL
by: Thomas Miskiewicz | last post by:
Hi! Is using of a double quotation mark with a URL a problem? For example: http://myserver.com/query?field1=something&field2=test&params="field1=test1"+"field2=test2" Regards Thomas
Latest Bytes
4
How do I escape single tick marks in XPath Queries?
by: Greg | last post by:
I keep getting an error when I have a tick mark in a text value that I am searching for in my XPath Query. Example: <Authors> <Author LastName="O'Donnel"> <Author LastName="Smith">...
Latest Bytes
13
Error trapping code
by: Thelma Lubkin | last post by:
I use code extensively; I probably overuse it. But I've been using error trapping very sparingly, and now I've been trapped by that. A form that works for me on the system I'm using, apparently...
Latest Bytes
9
help : apostrophe/single quotation mark
by: dajava | last post by:
Hi, Sorry for this beginner's question. I do not know PHP and write for my friend. He has never been a professional programmer. He studied C and PHP with some books and made a bulletin...
Latest Bytes
31
which quotation marks to use
by: The Bicycling Guitarist | last post by:
Hi. For many years I have been using &quot; for double quotation marks in the HTML code, but the opening and closing quotation marks render the same in my browser. I'm considering going through and...
Latest Bytes
1
Quotation Marks(may be single quotation or double quotation) in string Expression
by: U Aye Thein | last post by:
I found in internet how to solve single quotation mark in string and how to solve double quotation mark in string but my string may be contained single quote or double quote. How to write an...
Latest Bytes
3
How insert query with right single quotation mark in Mysql in C#
by: samour | last post by:
hello every body how can i get red of this error : "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near" ...
Latest Bytes
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
Latest Bytes
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Latest Bytes
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
Latest Bytes
1
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Latest Bytes
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
Latest Bytes
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Latest Bytes
0
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
Latest Bytes
1
muto222
php
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
Latest Bytes
0
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
Latest Bytes

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us