Escape characters

Discussion in 'ASP General' started by BTnews, Feb 1, 2004.

  1. BTnews

    BTnews Guest

    Hi,

    Can anyone here point me at a definitive guide or tutorial about using
    escape characters when building SQL queries from user entered data?
    I'm especially interested in info on this in regard to Access databases and
    (classic) ASP.

    I've been writing ASP for just over a year now, and I've usually found very
    comprehensive answers to other problems on one of the many excellent website
    resources out there. The coverage of this particular issue seems to be
    patchy at best though. Given the importance of this in regards to security
    and making sure key features like search facilities work properly I'm
    suprised it isn't covered very well. The solutions i've seen include
    doubling apostrophes (which doesn't always seem to work), using [] brackets
    within LIKE clauses (so how do you escape square brackets?), using
    backslashes, using an ESCAPE keyword etc.

    What I want to know is which solutions to use in which cases, and a full
    list of characters to check for would be useful also.

    Thanks

    D.Jones
     
    BTnews, Feb 1, 2004
    #1
    1. Advertising

  2. BTnews

    Tim Williams Guest

    Basic principles (except for DB-specific escape char) are the same
    whatever the platform

    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q="SQL injection"
    http://groups.google.com/groups?hl=...safe=off&q="SQL injection"&btnG=Google Search

    Tim.


    "BTnews" <> wrote in message
    news:bvjb7b$a72$...
    > Hi,
    >
    > Can anyone here point me at a definitive guide or tutorial about

    using
    > escape characters when building SQL queries from user entered data?
    > I'm especially interested in info on this in regard to Access

    databases and
    > (classic) ASP.
    >
    > I've been writing ASP for just over a year now, and I've usually

    found very
    > comprehensive answers to other problems on one of the many excellent

    website
    > resources out there. The coverage of this particular issue seems to

    be
    > patchy at best though. Given the importance of this in regards to

    security
    > and making sure key features like search facilities work properly

    I'm
    > suprised it isn't covered very well. The solutions i've seen include
    > doubling apostrophes (which doesn't always seem to work), using []

    brackets
    > within LIKE clauses (so how do you escape square brackets?), using
    > backslashes, using an ESCAPE keyword etc.
    >
    > What I want to know is which solutions to use in which cases, and a

    full
    > list of characters to check for would be useful also.
    >
    > Thanks
    >
    > D.Jones
    >
    >
     
    Tim Williams, Feb 1, 2004
    #2
    1. Advertising

  3. BTnews

    Bob Barrows Guest

    BTnews wrote:
    > Hi,
    >
    > Can anyone here point me at a definitive guide or tutorial about using
    > escape characters when building SQL queries from user entered data?
    > I'm especially interested in info on this in regard to Access
    > databases and (classic) ASP.
    >
    > I've been writing ASP for just over a year now, and I've usually
    > found very comprehensive answers to other problems on one of the many
    > excellent website resources out there. The coverage of this
    > particular issue seems to be patchy at best though. Given the
    > importance of this in regards to security and making sure key
    > features like search facilities work properly I'm suprised it isn't
    > covered very well. The solutions i've seen include doubling
    > apostrophes (which doesn't always seem to work), using [] brackets
    > within LIKE clauses (so how do you escape square brackets?), using
    > backslashes, using an ESCAPE keyword etc.
    >
    > What I want to know is which solutions to use in which cases, and a
    > full list of characters to check for would be useful also.
    >
    > Thanks
    >
    > D.Jones


    In both SQL and vbscript (VB/VBA), you escape characters by doubling them. I
    have never seen a circumstance where this did not "seem to work". Perhaps
    you could expand on this ...

    Backslashes are used in jscript/javascript. I've never used a language that
    used an ESCAPE keyword.

    I have posted on this subject several times in the past, so instead of
    writing about it again, here are some links:


    http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=

    http://www.google.com/groups?hl=en&...&oe=UTF-8&as_uauthors=Bob%20Barrows&lr=&hl=en

    http://tinyurl.com/jyy0

    http://www.google.com/groups?hl=en&...x.gbl&rnum=11&prev=/groups?q=delimiter+author
    :Bob%2Bauthor:Barrows%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D
    10%26sa%3DN

    HTH,
    Bob Barrows
    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Feb 2, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Griff

    trying out escape characters

    Griff, Aug 3, 2004, in forum: Perl
    Replies:
    6
    Views:
    616
  2. Maziar Aflatoun

    Escape characters

    Maziar Aflatoun, Dec 5, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    580
    Jason S
    Dec 5, 2003
  3. Guadala Harry

    What Happens To Escape Characters?

    Guadala Harry, Aug 18, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    711
    Lau Lei Cheong
    Aug 19, 2004
  4. =?Utf-8?B?YmFzdWxhc3o=?=

    Are there escape characters for SQL?

    =?Utf-8?B?YmFzdWxhc3o=?=, Jul 7, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    10,963
    Patrice
    Jul 7, 2005
  5. slomo
    Replies:
    5
    Views:
    1,627
    Duncan Booth
    Dec 2, 2007
Loading...

Share This Page