DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   ASP (http://www.daniweb.com/forums/forum62.html)
-   -   Problem with input (http://www.daniweb.com/forums/thread40856.html)

Plonter Mar 10th, 2006 7:34 am
Problem with input
 
Hello all!

I need to fill a database using microsoft access and sql in an asp page.

I need to check that the input is not exsit yet, so I use the following to create sql sentence:
tempsql = select * from table where filed= '"
tempsql = tempsql & request.form("name")
tempsql = tempsql & "'"

My problem is that I have to allow the input to include the sign ' ... it doesnt agree to acept it because of the field =' '...

In which other form can I get that input?
Thanks,
Plonter

Lafinboy Mar 13th, 2006 6:43 am
Re: Problem with input
 
You will need to use a simple, yet essential, replace statement on your inputs to allow the use of quotes. This allows the users to input values such as O'Hare legitimately, and also prevents the simplest form of SQL Injection attack by the use of a ' to break the code. A simple function to replace quotes would be like:
function cleanString( string )

'// replace single quotes

strTemp = replace(string, "'", "''")

'// replace quotes

strTemp = replace(strTemp, """", """""")

cleanString = strTemp

end function


All times are GMT -4. The time now is 7:06 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC