Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
6  5745 
Christian,
I don't know of a way to predetermine if a string contains valid SQL.
Are you wanting to do that so you can concatenate strings into an SQL
statement? If so, that is what parameters are for.
Use parameters to prevent sql injection attacks.
Kerry Moorman
"Christian Blackburn" wrote: Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
Christian,
Can you explain this more, because in normal situations those commands don't
go over the line by ASPNet. Not in build as well not in scripting mode.
Cor
"Christian Blackburn" <ch************ *****@Yahoo.com > schreef in bericht
news:11******** *************@h 76g2000cwa.goog legroups.com... Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
SQL commands inside strings are harmless, as long as you encode the
strings correctly.
For an example, this query is safe:
"insert into TableXYX (Description) values ('; Drop TableXYX;')"
How strings should be encoded differ from database to database.
Access: Replace "'" with "''".
MS SQL: Replace "'" with "''".
MySQL: Replace "\" with "\\", then "'" with "\'".
As Kerry pointed out, this can be handled by using parameters. Then you
don't need to worry about what characters it is that needs to be encoded.
Christian Blackburn wrote: Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
In addition, you should always check the values your users are entering to
make sure they don't include invalid characters. If you check your input
to make sure it doesn't include the single tick (') and semicolon, you don't
need to worry about that. In many ways, it is better to specify only the
valid characters.
For instance, in my applications, I have a method that checks for valid characters
on a per-property basis using regex. If I have a field that only allows characters,
digits, comma and space I can do something like:
If Not RegEx.IsMatch(v alue, "[^A-Za-z\d-, ]") then
Throw New ArgumentExcepti on
End If
In addition to filtering for the correct values, USE PARAMETERIZED QUERIES
or stored procedures.
Jim Wooley http://devauthority.com/blogs/jwooley/default.aspx SQL commands inside strings are harmless, as long as you encode the
strings correctly.
For an example, this query is safe:
"insert into TableXYX (Description) values ('; Drop TableXYX;')"
How strings should be encoded differ from database to database.
Access: Replace "'" with "''".
MS SQL: Replace "'" with "''".
MySQL: Replace "\" with "\\", then "'" with "\'".
As Kerry pointed out, this can be handled by using parameters. Then
you don't need to worry about what characters it is that needs to be
encoded.
Christian Blackburn wrote:
Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
Update: That should read: If RegEx.IsMatch(v alue, "[^A-Za-z\d-, ]") then
The Not is included in the regex string (^)
Jim Wooley
http://devauthority.com/blogs/jwooley/default.aspx
In addition, you should always check the values your users are
entering to make sure they don't include invalid characters. If you
check your input to make sure it doesn't include the single tick (')
and semicolon, you don't need to worry about that. In many ways, it is
better to specify only the valid characters.
For instance, in my applications, I have a method that checks for
valid characters on a per-property basis using regex. If I have a
field that only allows characters, digits, comma and space I can do
something like:
If Not RegEx.IsMatch(v alue, "[^A-Za-z\d-, ]") then
Throw New ArgumentExcepti on
End If
In addition to filtering for the correct values, USE PARAMETERIZED
QUERIES or stored procedures.
Jim Wooley
http://devauthority.com/blogs/jwooley/default.aspx SQL commands inside strings are harmless, as long as you encode the
strings correctly.
For an example, this query is safe:
"insert into TableXYX (Description) values ('; Drop TableXYX;')"
How strings should be encoded differ from database to database.
Access: Replace "'" with "''".
MS SQL: Replace "'" with "''".
MySQL: Replace "\" with "\\", then "'" with "\'".
As Kerry pointed out, this can be handled by using parameters. Then
you don't need to worry about what characters it is that needs to be
encoded.
Christian Blackburn wrote:
Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo
and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I
wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
Jim Wooley wrote: In addition, you should always check the values your users are entering
to make sure they don't include invalid characters. If you check your
input to make sure it doesn't include the single tick (') and semicolon,
you don't need to worry about that.
If correctly encoded, strings may very well contain apostrophes (').
Semicolon has no special meaning inside strings, so that is no concern.
Actually, as long as the strings are encoded correctly, there are no
characters that causes problems for the database. It's true that all
input should be validated, but for strings it's mostly a matter of
keeping the information sane rather than protecting the database.
In many ways, it is better to
specify only the valid characters.
For instance, in my applications, I have a method that checks for valid
characters on a per-property basis using regex. If I have a field that
only allows characters, digits, comma and space I can do something like:
If Not RegEx.IsMatch(v alue, "[^A-Za-z\d-, ]") then
Hmm... What is the hyphen doing between \d and the comma?
Throw New ArgumentExcepti on
End If
In addition to filtering for the correct values, USE PARAMETERIZED
QUERIES or stored procedures.
Or rather, always use parameteters, with or without stored procedures.
Jim Wooley
http://devauthority.com/blogs/jwooley/default.aspx
SQL commands inside strings are harmless, as long as you encode the
strings correctly.
For an example, this query is safe:
"insert into TableXYX (Description) values ('; Drop TableXYX;')"
How strings should be encoded differ from database to database.
Access: Replace "'" with "''".
MS SQL: Replace "'" with "''".
MySQL: Replace "\" with "\\", then "'" with "\'".
As Kerry pointed out, this can be handled by using parameters. Then
you don't need to worry about what characters it is that needs to be
encoded.
Christian Blackburn wrote:
Hi Gang,
When encoding HTML strings it'll convert things like " --> &rsquo and
the like using Server.HTMLEnco de(). However, is there a command to
make sure strings don't contain valid SQL commands? Like I wouldn't
want a string to contain
"; Drop TableXYX;" or something along those lines.
Thanks,
Christian Blackburn
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: fowlertrainer |
last post by:
Hi !
I'm hungarian, we use special characters like:
á - a'
õ -o"
etc.
I want to encode this characters to in config file I see these
characters as \nnn format.
|
by: Richard Townsend |
last post by:
Using Python-2.3.4 on HP-UX11i, the following code:
import locale
loc = locale.setlocale(locale.LC_ALL)
print 'locale =', loc
loc = locale.nl_langinfo(locale.CODESET)
print 'locale =', loc
print 'hello'.encode(loc, 'replace')
produces:
|
by: Pierre Rouleau |
last post by:
Greetings,
I'm wondering why the >> operator does not use the write() method of a
class derived from the built-in file class as in DerivedFile below.
In the following example:
- StringFile is just a file-like string accumulation class that can be
used in place of a real file to accumulate strings that would otherwise
be printed. Works fine, can accumulate strings with the >> operator,
|
by: Scott Matthews |
last post by:
I've recently come upon an odd Javascript (and/or browser) behavior,
and after hunting around the Web I still can't seem to find an answer.
Specifically, I have noticed that the Javascript encode() function
behaves differently if a codepage has been set.
For example:
<script>
document.write(escape('Ôèëìè'));
(note: that should be five accented characters)
|
by: thomas Armstrong |
last post by:
Hi
Using Python 2.3.4 + Feedparser 3.3 (a library to parse XML documents)
I'm trying to parse a UTF-8 document with special characters like
acute-accent vowels:
--------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
....
-------
| | |
by: Ratbert |
last post by:
Hi,
I'm searching for a portable library, providing some sort of
parsing functionality. The library should help to encode and
decodes command phrases. Commands are plain text C-strings,
consisting of a command name and parameters (defined by parameter
name and value); e.g.:
command{param1{123}param2{ghij}param3{1.234}param4{param5{param6{x}param7{0}}}}
|
by: erikcw |
last post by:
Hi,
I'm trying to build a SQL string
sql = """INSERT INTO ag ('cid', 'ag', 'test') VALUES(%i, %s, %d)""",
(cid, ag, self.data)
It raises this error: AttributeError: 'tuple' object has no attribute
'encode'
|
by: 7stud |
last post by:
s1 = "hello"
s2 = s1.encode("utf-8")
s1 = "an accented 'e': \xc3\xa9"
s2 = s1.encode("utf-8")
The last line produces the error:
---
Traceback (most recent call last):
|
by: Jerry Hill |
last post by:
On Fri, Oct 3, 2008 at 5:38 PM, Valery Khamenya <khamenya@gmail.comwrote:
Do you know what, exactly, you'd like the result to be? The encoding
of unicode characters into URIs is not well defined. My understanding
is that the most common case is to percent-encode UTF-8, like this:
'M%C3%BCller'
If you need to, you can encode your unicode string differently, like this:
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
