By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,466 Members | 1,132 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,466 IT Pros & Developers. It's quick & easy.

Escaping quotes and injections

100+
P: 229
Hi, I wonder if someone could advise on the following.
I inherited this code, I am not a coder but have had some kind of hack and am looking at code to reduce its vulnerability. At the top of the page I have

Expand|Select|Wrap|Line Numbers
  1.     nPage = CLng(Request.QueryString("Page"))
  2.  
  3.  
  4.     Keyword = Trim(Request.QueryString("Keyword"))
  5.  
in the where clause I have
Expand|Select|Wrap|Line Numbers
  1. p.area LIKE '%" & Replace(Keyword, "_", " ") & "%'
I need to replace these for the query string, but do I also need to add an escape

Expand|Select|Wrap|Line Numbers
  1. p.area LIKE '%" & Replace(Keyword, "'", "''") & "%'



Thanks for any advice.
Richard
Apr 28 '15 #1
Share this Question
Share on Google+
1 Reply


Rabbit
Expert Mod 10K+
P: 12,430
What do you mean by escape? Replacing single quotes with double single quotes is an escape for quotes. But if you want to truly protect against injection, you should use parameters instead.
Apr 28 '15 #2

Post your reply

Sign in to post your reply or Sign up for a free account.