470,810 Members | 856 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,810 developers. It's quick & easy.

Problem with %

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"´ectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks
Jul 19 '05 #1
9 1300
I don't know what the story is with the %'s disappearing, but you should be
using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...
Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE "´ectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

Jul 19 '05 #2
if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...
I don't know what the story is with the %'s disappearing, but you should be using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...
Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG

LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG

LIKE
"´ectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks


Jul 19 '05 #3
How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...
if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...
I don't know what the story is with the %'s disappearing, but you should

be
using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...

Jul 19 '05 #4
this use 3 scripts with querystring pass

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl...
How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...
if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...
I don't know what the story is with the %'s disappearing, but you should
be
using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS

WHERE C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...


Jul 19 '05 #5
How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
this use 3 scripts with querystring pass

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl...
How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...
if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message news:#f**************@TK2MSFTNGP12.phx.gbl...
> I don't know what the story is with the %'s disappearing, but you

should be
> using ' to delimit in SQL, not ".
>
> sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
>
> Ray at home
>
> "webfox" <we****@sapo.pt> wrote in message
> news:e4***************@TK2MSFTNGP10.phx.gbl...



Jul 19 '05 #6
On Tue, 14 Oct 2003 00:17:01 +0100, "webfox" <we****@sapo.pt> wrote:
Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"´ectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks


Wouldnt the %E be converted to a character? In other words, it's
translating just like %20 becomes a space. %EF if some high order
character.

Try doing an encoding on the string before passing it.

Jul 19 '05 #7
Pass through the form collection instead of the querystring collection.
Aside from the string formatting issues, think about what the user could do
to this URL:

http://www.yourserver.com/page.asp?q...T+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?q...OP+TABLE+table

Use ' not "" for delimiting the string, and consider passing only the
dynamic portion of the query...

"webfox" <we****@sapo.pt> wrote in message
news:e4*************@TK2MSFTNGP10.phx.gbl...
Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE "´ectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

Jul 19 '05 #8
"Aaron Bertrand - MVP" wrote:

Pass through the form collection instead of the querystring
collection. Aside from the string formatting issues, think
about what the user could do to this URL:

http://www.yourserver.com/page.asp?q...T+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?q...OP+TABLE+table
Can someone please explain how changing to the form collection protects me
from this type of malicious submission? Assuming the user is sophisticated
enough to form a damaging request, I see no reason to think he could not
tweak a form submission with as much ease as a querystring.
Use ' not "" for delimiting the string, and consider passing
only the dynamic portion of the query...


Consider? This should be a point of evangelism. If it's worth the time spent
to develop, it's worth a few minutes more to construct a stored procedure,
the benefits of which exceed simple prevention of malicious code execution.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 19 '05 #9
> Can someone please explain how changing to the form collection protects me
from this type of malicious submission?


It doesn't protect you, per se, but it makes it easier to validate (since
you can add referrer checks, session data, elapsed time, etc. to make sure
the form came from where you expect it to).
Jul 19 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

11 posts views Thread by Kostatus | last post: by
117 posts views Thread by Peter Olcott | last post: by
18 posts views Thread by Ian Stanley | last post: by
28 posts views Thread by Jon Davis | last post: by
6 posts views Thread by Ammar | last post: by
2 posts views Thread by Mike Collins | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.