Problem with %

I don't know what the story is with the %'s disappearing, but you should be
using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE "ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...

I don't know what the story is with the %'s disappearing, but you should be using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG

LIKE

""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG

LIKE

"ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...

if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...

I don't know what the story is with the %'s disappearing, but you should

be

using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...

this use 3 scripts with querystring pass

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl...

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...

if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl...

I don't know what the story is with the %'s disappearing, but you should

be

using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS

WHERE C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...

this use 3 scripts with querystring pass

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl...

How about posting the relevant code snippet you're using to generate this

string?

Ray at home

"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl...

if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message news:#f**************@TK2MSFTNGP12.phx.gbl...
> I don't know what the story is with the %'s disappearing, but you

should be
> using ' to delimit in SQL, not ".
>
> sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
>
> Ray at home
>
> "webfox" <we****@sapo.pt> wrote in message
> news:e4***************@TK2MSFTNGP10.phx.gbl...

On Tue, 14 Oct 2003 00:17:01 +0100, "webfox" <we****@sapo.pt> wrote:

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

Wouldnt the %E be converted to a character? In other words, it's
translating just like %20 becomes a space. %EF if some high order
character.

Try doing an encoding on the string before passing it.

Pass through the form collection instead of the querystring collection.
Aside from the string formatting issues, think about what the user could do
to this URL:

http://www.yourserver.com/page.asp?q...T+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?q...OP+TABLE+table

Use ' not "" for delimiting the string, and consider passing only the
dynamic portion of the query...

"webfox" <we****@sapo.pt> wrote in message
news:e4*************@TK2MSFTNGP10.phx.gbl...

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE "ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

"Aaron Bertrand - MVP" wrote:

Pass through the form collection instead of the querystring
collection. Aside from the string formatting issues, think
about what the user could do to this URL:

http://www.yourserver.com/page.asp?q...T+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?q...OP+TABLE+table
Can someone please explain how changing to the form collection protects me
from this type of malicious submission? Assuming the user is sophisticated
enough to form a damaging request, I see no reason to think he could not
tweak a form submission with as much ease as a querystring.
Use ' not "" for delimiting the string, and consider passing
only the dynamic portion of the query...

Consider? This should be a point of evangelism. If it's worth the time spent
to develop, it's worth a few minutes more to construct a stored procedure,
the benefits of which exceed simple prevention of malicious code execution.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

> Can someone please explain how changing to the form collection protects me

from this type of malicious submission?

It doesn't protect you, per se, but it makes it easier to validate (since
you can add referrer checks, session data, elapsed time, etc. to make sure
the form came from where you expect it to).