Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ASP / Database Access / January 2006


Tip: Looking for answers? Try searching our database.

how to prevent inputting quotation mark (') in a form?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Kevin - 25 Jan 2006 12:59 GMT
Hi,

I made a form where visitors can introduce data.
I use this:
strsql="INSERT INTO mytable (field1,field2 ...) values('" & lol & "',#" &
dat & ...)"

My problem is that when someone introduces a quotation mark, i get a error
and the insert fails (e.g. nam'e).

How can i prevent that? Controling each entered character seems me to be a
very big work ...

Thanks
Kevin
Reply to this Message
Bob Barrows [MVP] - 25 Jan 2006 13:24 GMT
> Hi,
>
[quoted text clipped - 5 lines]
> My problem is that when someone introduces a quotation mark, i get a
> error and the insert fails (e.g. nam'e).

Please don't ask a database-related question without telling us what
database you are using. :-)

This is yet another delimiter problem resulting from the use of dynamic sql.
See this for an explanation of how to handle embedded delimiters:
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/713f5
92513bf333c?hl=en&lr=&ie=UTF-8&oe=UTF-8

That post also goes into using stored procedures/saved queries. If you wish
to avoid using that efficient method, then you should use a Command object
to pass parameter values to a string containing parameter markers. See:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36
562fee7804e

Neither technique relieves you of the responsibility of validating user
inputs in your server-side code, if only to prevent errors caused by
incorrectly entered data.

> How can i prevent that?

Don't try to prevent the entry of what may be valid data (it can only be
done with client-side code which is outside the topic of this newsgroup -
see microsoft.public.scripting.jscript if you wish to persist with this).
Use parameters so embedded delimiters do not matter. Another benefit of
using parameters is it makes your application sql injection-proof:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf

> Controling each entered character seems me to
> be a very big work ...

Yes.

HTH,
Bob Barrows

Signature

Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Reply to this Message
Kevin - 25 Jan 2006 17:27 GMT
thanks

> > Hi,
> >
[quoted text clipped - 11 lines]
> This is yet another delimiter problem resulting from the use of dynamic sql.
> See this for an explanation of how to handle embedded delimiters:

http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/713f5
92513bf333c?hl=en&lr=&ie=UTF-8&oe=UTF-8

> That post also goes into using stored procedures/saved queries. If you wish
> to avoid using that efficient method, then you should use a Command object
> to pass parameter values to a string containing parameter markers. See:

http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36
562fee7804e

> Neither technique relieves you of the responsibility of validating user
> inputs in your server-side code, if only to prevent errors caused by
[quoted text clipped - 17 lines]
> HTH,
> Bob Barrows
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.