Hello,
I am generally a php guy. But right now I need to update entries in SQL Server using ASP.
Does anyone know how to escape malicious data before putting it into the database? The following is what am doing right now
Many thanks in advance.
Dim inactiveList
' Get ids from the check boxes
inactiveList = Request.Form("inactive")
Set rs = Server.CreateObject("ADODB.RecordSet")
' Escape single quote
inactiveList = Replace(inactiveList,"'","''")
' Get rid of white space
inactiveList = Replace(inactiveList," ","")
' put single quotes around the listnums
inactiveList = Replace(inactiveList,",",",'")
inactiveList = "'" & inactiveList & "'"
If inactiveList <> "''" Then
sql = "UPDATE table1 SET status=0 WHERE ID IN(" & inactiveList & ")"
rs.open sql, connStr
End If