By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,706 Members | 2,030 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,706 IT Pros & Developers. It's quick & easy.

Escape characters

P: n/a
Hi,

Can anyone here point me at a definitive guide or tutorial about using
escape characters when building SQL queries from user entered data?
I'm especially interested in info on this in regard to Access databases and
(classic) ASP.

I've been writing ASP for just over a year now, and I've usually found very
comprehensive answers to other problems on one of the many excellent website
resources out there. The coverage of this particular issue seems to be
patchy at best though. Given the importance of this in regards to security
and making sure key features like search facilities work properly I'm
suprised it isn't covered very well. The solutions i've seen include
doubling apostrophes (which doesn't always seem to work), using [] brackets
within LIKE clauses (so how do you escape square brackets?), using
backslashes, using an ESCAPE keyword etc.

What I want to know is which solutions to use in which cases, and a full
list of characters to check for would be useful also.

Thanks

D.Jones
Jul 19 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a

Basic principles (except for DB-specific escape char) are the same
whatever the platform

http://www.google.com/search?hl=en&i...L+injection%22
http://groups.google.com/groups?hl=e...=Google+Search

Tim.
"BTnews" <pa*******************@btinternet.com> wrote in message
news:bv**********@sparta.btinternet.com...
Hi,

Can anyone here point me at a definitive guide or tutorial about using escape characters when building SQL queries from user entered data?
I'm especially interested in info on this in regard to Access databases and (classic) ASP.

I've been writing ASP for just over a year now, and I've usually found very comprehensive answers to other problems on one of the many excellent website resources out there. The coverage of this particular issue seems to be patchy at best though. Given the importance of this in regards to security and making sure key features like search facilities work properly I'm suprised it isn't covered very well. The solutions i've seen include
doubling apostrophes (which doesn't always seem to work), using [] brackets within LIKE clauses (so how do you escape square brackets?), using
backslashes, using an ESCAPE keyword etc.

What I want to know is which solutions to use in which cases, and a full list of characters to check for would be useful also.

Thanks

D.Jones

Jul 19 '05 #2

P: n/a
BTnews wrote:
Hi,

Can anyone here point me at a definitive guide or tutorial about using
escape characters when building SQL queries from user entered data?
I'm especially interested in info on this in regard to Access
databases and (classic) ASP.

I've been writing ASP for just over a year now, and I've usually
found very comprehensive answers to other problems on one of the many
excellent website resources out there. The coverage of this
particular issue seems to be patchy at best though. Given the
importance of this in regards to security and making sure key
features like search facilities work properly I'm suprised it isn't
covered very well. The solutions i've seen include doubling
apostrophes (which doesn't always seem to work), using [] brackets
within LIKE clauses (so how do you escape square brackets?), using
backslashes, using an ESCAPE keyword etc.

What I want to know is which solutions to use in which cases, and a
full list of characters to check for would be useful also.

Thanks

D.Jones


In both SQL and vbscript (VB/VBA), you escape characters by doubling them. I
have never seen a circumstance where this did not "seem to work". Perhaps
you could expand on this ...

Backslashes are used in jscript/javascript. I've never used a language that
used an ESCAPE keyword.

I have posted on this subject several times in the past, so instead of
writing about it again, here are some links:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://www.google.com/groups?hl=en&l...r%3D%26hl%3Den

http://tinyurl.com/jyy0

http://www.google.com/groups?hl=en&l...miter%2Bauthor
:Bob%2Bauthor:Barrows%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D
10%26sa%3DN

HTH,
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.