Member Avatar for ryy705

Hello,

I am generally a php guy. But right now I need to update entries in SQL Server using ASP.
Does anyone know how to escape malicious data before putting it into the database? The following is what am doing right now
Many thanks in advance.

Dim inactiveList

' Get ids from the check boxes
inactiveList = Request.Form("inactive")

Set rs = Server.CreateObject("ADODB.RecordSet")

' Escape single quote
inactiveList = Replace(inactiveList,"'","''")

' Get rid of white space
inactiveList = Replace(inactiveList," ","") 

' put single quotes around the listnums
inactiveList = Replace(inactiveList,",",",'") 
inactiveList = "'" & inactiveList & "'"



If inactiveList <> "''" Then	
	sql = "UPDATE table1 SET status=0 WHERE ID IN(" & inactiveList & ")"
	rs.open sql, connStr
End If
  • 2 Contributors
  • 1 Reply
  • 99 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by chsab420
Member Avatar for chsab420

u dont need recordset to update the records

u can just do that

by

connectionName.execute(sql_statement)

other than that i dont see any problem


also u r making recordset way earlier than u need it
its waste of resource i guess although very little at this level but in big application it does affect.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.