Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
9  1399 
I don't know what the story is with the %'s disappearing, but you should be
using ' to delimit in SQL, not ".
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl... Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE "ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
if i use ' instead off " give me :
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl... I don't know what the story is with the %'s disappearing, but you should
be using ' to delimit in SQL, not ".
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl... Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE "ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
How about posting the relevant code snippet you're using to generate this
string?
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl... if i use ' instead off " give me :
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl... I don't know what the story is with the %'s disappearing, but you should
be using ' to delimit in SQL, not ".
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...
this use 3 scripts with querystring pass
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl... How about posting the relevant code snippet you're using to generate this
string?
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl... if i use ' instead off " give me :
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#f**************@TK2MSFTNGP12.phx.gbl... I don't know what the story is with the %'s disappearing, but you
should be using ' to delimit in SQL, not ".
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS
WHERE C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:e4***************@TK2MSFTNGP10.phx.gbl...
How about posting the relevant code snippet you're using to generate this
string?
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl... this use 3 scripts with querystring pass
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#E**************@TK2MSFTNGP09.phx.gbl... How about posting the relevant code snippet you're using to generate
this string?
Ray at home
"webfox" <we****@sapo.pt> wrote in message
news:u0**************@TK2MSFTNGP11.phx.gbl... if i use ' instead off " give me :
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS
WHERE C3_MSG LIKE
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in
message news:#f**************@TK2MSFTNGP12.phx.gbl...
> I don't know what the story is with the %'s disappearing, but you
should be
> using ' to delimit in SQL, not ".
>
> sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
>
> Ray at home
>
> "webfox" <we****@sapo.pt> wrote in message
> news:e4***************@TK2MSFTNGP10.phx.gbl...
On Tue, 14 Oct 2003 00:17:01 +0100, "webfox" <we****@sapo.pt> wrote: Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
Wouldnt the %E be converted to a character? In other words, it's
translating just like %20 becomes a space. %EF if some high order
character.
Try doing an encoding on the string before passing it.
Pass through the form collection instead of the querystring collection.
Aside from the string formatting issues, think about what the user could do
to this URL: http://www.yourserver.com/page.asp?q...T+*+FROM+table
Could easily become: http://www.yourserver.com/page.asp?q...OP+TABLE+table
Use ' not "" for delimiting the string, and consider passing only the
dynamic portion of the query...
"webfox" <we****@sapo.pt> wrote in message
news:e4*************@TK2MSFTNGP10.phx.gbl... Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE ""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG
LIKE "ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
"Aaron Bertrand - MVP" wrote:
Pass through the form collection instead of the querystring
collection. Aside from the string formatting issues, think
about what the user could do to this URL:
http://www.yourserver.com/page.asp?q...T+*+FROM+table
Could easily become:
http://www.yourserver.com/page.asp?q...OP+TABLE+table
Can someone please explain how changing to the form collection protects me
from this type of malicious submission? Assuming the user is sophisticated
enough to form a damaging request, I see no reason to think he could not
tweak a form submission with as much ease as a querystring.
Use ' not "" for delimiting the string, and consider passing
only the dynamic portion of the query...
Consider? This should be a point of evangelism. If it's worth the time spent
to develop, it's worth a few minutes more to construct a stored procedure,
the benefits of which exceed simple prevention of malicious code execution.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
> Can someone please explain how changing to the form collection protects me from this type of malicious submission?
It doesn't protect you, per se, but it makes it easier to validate (since
you can add referrer checks, session data, elapsed time, etc. to make sure
the form came from where you expect it to). This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Kostatus |
last post by:
I have a virtual function in a base class, which is then overwritten by a
function of the same name in a publically derived class. When I call the
function using a pointer to the derived class...
|
by: Peter Olcott |
last post by:
www.halting-problem.com
|
by: Ian Stanley |
last post by:
Hi,
Continuing my strcat segmentation fault posting-
I have a problem which occurs when appending two sting literals using
strcat.
I have tried to fix it by writing my own function that does the...
|
by: Jon Davis |
last post by:
If I have a class with a virtual method, and a child class that overrides
the virtual method, and then I create an instance of the child class AS A
base class...
BaseClass bc = new ChildClass();...
|
by: Ammar |
last post by:
Dear All,
I'm facing a small problem.
I have a portal web site, that contains articles, for each article, the end
user can send a comment about the article.
The problem is:
I the comment length...
|
by: Dany |
last post by:
Our web service was working fine until we installed .net Framework 1.1 service pack 1. Uninstalling SP1 is not an option because our largest customer says service packs marked as "critical" by...
|
by: Mike Collins |
last post by:
I cannot get the correct drop down list value from a drop down I have on my
web form. I get the initial value that was loaded in the list.
It was asked by someone else what the autopostback was...
|
by: =?Utf-8?B?am8uZWw=?= |
last post by:
Hello All,
I am developing an Input Methop (IM) for PocketPC / Windows Mobile (PPC/WM).
On some
devices the IM will not start. The IM appears in the IM-List but when it is
selected from the...
|
by: sherifbk |
last post by:
Problem description
==============
- I have 4 clients and 1 server (SQL server)
- 3 clients are Monitoring console 1 client is operation console
- Monitoring console collects some data from...
|
by: AceKnocks |
last post by:
I am working on a framework design problem in which I have to design a C++ based framework capable of solving three puzzles for now but actually it should work with a general puzzle of any kind and I...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
