Escape characters

Discussion in 'ASP .Net' started by Maziar Aflatoun, Dec 5, 2003.

  1. Hi everyone,

    I have a form that stores the information it collects into a database.
    However, for textboxes if I have a user input as something like
    this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
    's'...etc). Is there a function that would make this database safe?

    Thank you
    Maz.
     
    Maziar Aflatoun, Dec 5, 2003
    #1
    1. Advertising

  2. Maziar,

    If to pass an apostrophe into a database double up the apostrophe.

    So If a user were to enter: 'sda

    You would do this:

    Dim StringForDatabase As String = TextBox1.Text.Replace("'", "''")

    An enlargement of the quotes would look like this: " ' ", " ' ' "


    --
    Sincerely,

    S. Justin Gengo, MCP
    Web Developer / Programmer

    Free code library at:
    www.aboutfortunate.com

    "Out of chaos comes order."
    Nietzche


    "Maziar Aflatoun" <> wrote in message
    news:a83Ab.70538$...
    > Hi everyone,
    >
    > I have a form that stores the information it collects into a database.
    > However, for textboxes if I have a user input as something like
    > this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
    > 's'...etc). Is there a function that would make this database safe?
    >
    > Thank you
    > Maz.
    >
    >
     
    S. Justin Gengo, Dec 5, 2003
    #2
    1. Advertising

  3. Maziar Aflatoun

    Jos Guest

    Maziar Aflatoun wrote:
    > Hi everyone,
    >
    > I have a form that stores the information it collects into a
    > database. However, for textboxes if I have a user input as something
    > like
    > this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
    > 's'...etc). Is there a function that would make this database safe?
    >
    > Thank you
    > Maz.


    Apart from Justin's suggestion, you can also use the Parameters
    collection of the OleDbCommand or SqlCommand.

    For instance: (this is for Visual Basic)
    Dim strSQL As String =
    "INSERT INTO myTable (Name,Address) VALUES (@Name,@Address)"
    Dim cm As New OleDbCommand(strSQL,conn)
    cm.Parameters.Add("@Name",nameFromUserInput)
    cm.Parameters.Add("@Address",addressFromUserInput)
    myList.DataSource=cm.ExecuteReader()

    This code will take care of the quotes (note that it will also automatically
    add quotes around string data in the SQL command).
    It will convert DateTime input to the correct format for SQL as well.
    On top of that, this code will also prevent hackers from inserting
    unsafe commands into the SQL string.

    --

    Jos Branders
     
    Jos, Dec 5, 2003
    #3
  4. Maziar Aflatoun

    Jason S Guest

    Maziar,

    You should be concerned with SQL injection attacks (esp. if this is a public
    facing site). If you are going to use dynamic sql strings like this you
    should really be examining input closely before passing it to your database.
    If you use stored procedures you will not have to worry much about this. Do
    a google search on SQL injection attacks.

    Regards,
    Jason S.

    "Maziar Aflatoun" <> wrote in message
    news:a83Ab.70538$...
    > Hi everyone,
    >
    > I have a form that stores the information it collects into a database.
    > However, for textboxes if I have a user input as something like
    > this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
    > 's'...etc). Is there a function that would make this database safe?
    >
    > Thank you
    > Maz.
    >
    >
     
    Jason S, Dec 5, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Griff

    trying out escape characters

    Griff, Aug 3, 2004, in forum: Perl
    Replies:
    6
    Views:
    609
  2. Guadala Harry

    What Happens To Escape Characters?

    Guadala Harry, Aug 18, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    697
    Lau Lei Cheong
    Aug 19, 2004
  3. =?Utf-8?B?YmFzdWxhc3o=?=

    Are there escape characters for SQL?

    =?Utf-8?B?YmFzdWxhc3o=?=, Jul 7, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    10,945
    Patrice
    Jul 7, 2005
  4. Frank Ratzlow
    Replies:
    0
    Views:
    299
    Frank Ratzlow
    Mar 31, 2005
  5. slomo
    Replies:
    5
    Views:
    1,546
    Duncan Booth
    Dec 2, 2007
Loading...

Share This Page