0

Hello,

I am generally a php guy. But right now I need to update entries in SQL Server using ASP.
Does anyone know how to escape malicious data before putting it into the database? The following is what am doing right now
Many thanks in advance.

Dim inactiveList

' Get ids from the check boxes
inactiveList = Request.Form("inactive")

Set rs = Server.CreateObject("ADODB.RecordSet")

' Escape single quote
inactiveList = Replace(inactiveList,"'","''")

' Get rid of white space
inactiveList = Replace(inactiveList," ","") 

' put single quotes around the listnums
inactiveList = Replace(inactiveList,",",",'") 
inactiveList = "'" & inactiveList & "'"



If inactiveList <> "''" Then	
	sql = "UPDATE table1 SET status=0 WHERE ID IN(" & inactiveList & ")"
	rs.open sql, connStr
End If
2
Contributors
1
Reply
2
Views
8 Years
Discussion Span
Last Post by chsab420
0

u dont need recordset to update the records

u can just do that

by

connectionName.execute(sql_statement)

other than that i dont see any problem


also u r making recordset way earlier than u need it
its waste of resource i guess although very little at this level but in big application it does affect.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.