Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Escape characters

Reply
Thread Tools

Escape characters

 
 
Maziar Aflatoun
Guest
Posts: n/a
 
      12-05-2003
Hi everyone,

I have a form that stores the information it collects into a database.
However, for textboxes if I have a user input as something like
this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
's'...etc). Is there a function that would make this database safe?

Thank you
Maz.


 
Reply With Quote
 
 
 
 
S. Justin Gengo
Guest
Posts: n/a
 
      12-05-2003
Maziar,

If to pass an apostrophe into a database double up the apostrophe.

So If a user were to enter: 'sda

You would do this:

Dim StringForDatabase As String = TextBox1.Text.Replace("'", "''")

An enlargement of the quotes would look like this: " ' ", " ' ' "


--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche


"Maziar Aflatoun" <(E-Mail Removed)> wrote in message
news:a83Ab.70538$(E-Mail Removed) ble.rogers.com...
> Hi everyone,
>
> I have a form that stores the information it collects into a database.
> However, for textboxes if I have a user input as something like
> this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
> 's'...etc). Is there a function that would make this database safe?
>
> Thank you
> Maz.
>
>



 
Reply With Quote
 
 
 
 
Jos
Guest
Posts: n/a
 
      12-05-2003
Maziar Aflatoun wrote:
> Hi everyone,
>
> I have a form that stores the information it collects into a
> database. However, for textboxes if I have a user input as something
> like
> this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
> 's'...etc). Is there a function that would make this database safe?
>
> Thank you
> Maz.


Apart from Justin's suggestion, you can also use the Parameters
collection of the OleDbCommand or SqlCommand.

For instance: (this is for Visual Basic)
Dim strSQL As String =
"INSERT INTO myTable (Name,Address) VALUES (@Name,@Address)"
Dim cm As New OleDbCommand(strSQL,conn)
cm.Parameters.Add("@Name",nameFromUserInput)
cm.Parameters.Add("@Address",addressFromUserInput)
myList.DataSource=cm.ExecuteReader()

This code will take care of the quotes (note that it will also automatically
add quotes around string data in the SQL command).
It will convert DateTime input to the correct format for SQL as well.
On top of that, this code will also prevent hackers from inserting
unsafe commands into the SQL string.

--

Jos Branders


 
Reply With Quote
 
Jason S
Guest
Posts: n/a
 
      12-05-2003
Maziar,

You should be concerned with SQL injection attacks (esp. if this is a public
facing site). If you are going to use dynamic sql strings like this you
should really be examining input closely before passing it to your database.
If you use stored procedures you will not have to worry much about this. Do
a google search on SQL injection attacks.

Regards,
Jason S.

"Maziar Aflatoun" <(E-Mail Removed)> wrote in message
news:a83Ab.70538$(E-Mail Removed) ble.rogers.com...
> Hi everyone,
>
> I have a form that stores the information it collects into a database.
> However, for textboxes if I have a user input as something like
> this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
> 's'...etc). Is there a function that would make this database safe?
>
> Thank you
> Maz.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to read strings cantaining escape character from a file and useit as escape sequences? slomo Python 5 12-02-2007 11:39 AM
Are there escape characters for SQL? =?Utf-8?B?YmFzdWxhc3o=?= ASP .Net 2 07-07-2005 03:12 PM
Re: html special character and escape characters knowledgepays@hotmail.com ASP .Net 0 01-27-2005 02:08 AM
trying out escape characters Griff Perl 6 08-20-2004 08:20 PM
What Happens To Escape Characters? Guadala Harry ASP .Net 3 08-19-2004 01:59 AM



Advertisments