Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Escape characters

Reply
Thread Tools

Escape characters

 
 
BTnews
Guest
Posts: n/a
 
      02-01-2004
Hi,

Can anyone here point me at a definitive guide or tutorial about using
escape characters when building SQL queries from user entered data?
I'm especially interested in info on this in regard to Access databases and
(classic) ASP.

I've been writing ASP for just over a year now, and I've usually found very
comprehensive answers to other problems on one of the many excellent website
resources out there. The coverage of this particular issue seems to be
patchy at best though. Given the importance of this in regards to security
and making sure key features like search facilities work properly I'm
suprised it isn't covered very well. The solutions i've seen include
doubling apostrophes (which doesn't always seem to work), using [] brackets
within LIKE clauses (so how do you escape square brackets?), using
backslashes, using an ESCAPE keyword etc.

What I want to know is which solutions to use in which cases, and a full
list of characters to check for would be useful also.

Thanks

D.Jones


 
Reply With Quote
 
 
 
 
Tim Williams
Guest
Posts: n/a
 
      02-01-2004

Basic principles (except for DB-specific escape char) are the same
whatever the platform

http://www.google.com/search?hl=en&i...L+injection%22
http://groups.google.com/groups?hl=e...=Google+Search

Tim.


"BTnews" <(E-Mail Removed)> wrote in message
news:bvjb7b$a72$(E-Mail Removed)...
> Hi,
>
> Can anyone here point me at a definitive guide or tutorial about

using
> escape characters when building SQL queries from user entered data?
> I'm especially interested in info on this in regard to Access

databases and
> (classic) ASP.
>
> I've been writing ASP for just over a year now, and I've usually

found very
> comprehensive answers to other problems on one of the many excellent

website
> resources out there. The coverage of this particular issue seems to

be
> patchy at best though. Given the importance of this in regards to

security
> and making sure key features like search facilities work properly

I'm
> suprised it isn't covered very well. The solutions i've seen include
> doubling apostrophes (which doesn't always seem to work), using []

brackets
> within LIKE clauses (so how do you escape square brackets?), using
> backslashes, using an ESCAPE keyword etc.
>
> What I want to know is which solutions to use in which cases, and a

full
> list of characters to check for would be useful also.
>
> Thanks
>
> D.Jones
>
>



 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      02-02-2004
BTnews wrote:
> Hi,
>
> Can anyone here point me at a definitive guide or tutorial about using
> escape characters when building SQL queries from user entered data?
> I'm especially interested in info on this in regard to Access
> databases and (classic) ASP.
>
> I've been writing ASP for just over a year now, and I've usually
> found very comprehensive answers to other problems on one of the many
> excellent website resources out there. The coverage of this
> particular issue seems to be patchy at best though. Given the
> importance of this in regards to security and making sure key
> features like search facilities work properly I'm suprised it isn't
> covered very well. The solutions i've seen include doubling
> apostrophes (which doesn't always seem to work), using [] brackets
> within LIKE clauses (so how do you escape square brackets?), using
> backslashes, using an ESCAPE keyword etc.
>
> What I want to know is which solutions to use in which cases, and a
> full list of characters to check for would be useful also.
>
> Thanks
>
> D.Jones


In both SQL and vbscript (VB/VBA), you escape characters by doubling them. I
have never seen a circumstance where this did not "seem to work". Perhaps
you could expand on this ...

Backslashes are used in jscript/javascript. I've never used a language that
used an ESCAPE keyword.

I have posted on this subject several times in the past, so instead of
writing about it again, here are some links:


http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://www.google.com/groups?hl=en&l...r%3D%26hl%3Den

http://tinyurl.com/jyy0

http://www.google.com/groups?hl=en&l...miter%2Bauthor
:Bob%2Bauthor:Barrows%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D
10%26sa%3DN

HTH,
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to read strings cantaining escape character from a file and useit as escape sequences? slomo Python 5 12-02-2007 11:39 AM
Re: html special character and escape characters knowledgepays@hotmail.com ASP .Net 0 01-27-2005 02:08 AM
trying out escape characters Griff Perl 6 08-20-2004 08:20 PM
What Happens To Escape Characters? Guadala Harry ASP .Net 3 08-19-2004 01:59 AM
Escape characters Maziar Aflatoun ASP .Net 3 12-05-2003 05:55 PM



Advertisments