need bullet proof input validator

Discussion in 'ASP General' started by SLH, Oct 2, 2006.

  1. SLH

    SLH Guest

    hi people. im trying to validate input received via a text area on an ASP
    page before writing it to a database. i cant use client side javascript due
    to policy, so it all has to happen on the server. here is what i was trying,
    but pieces of it continue to break for one reason or another. the thinking
    behind this function was like this:

    if the input is less than 10 characters long, fail.
    if its 10 characters or greater, but it doesnt appear to contain any words,
    fail. (i try this by breaking up the input at space characters into an
    array. valid input should have several spaces, indicating several words)
    if there are 3 consecutive spaces, fail. (this cant be valid).
    then if all that passes, i need to make sure no words are longer than 10
    characters. (by looping through the words in the array)

    different parts of this fail at different times. for instance if the data
    has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
    since there are too many moving parts here i was hoping someone else might
    have a better approach to validating the input.
    thanks for any help.


    Function IsGoodInput(str)
    IsGoodInput = True
    Dim MyArray, i
    MyArray = Split(str, " ")
    If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    IsGoodInput = False
    Else
    For i = 0 To UBound(MyArray)
    If Len(MyArray(i)) > 10 Then
    IsGoodInput = False
    Exit For
    End If
    Next
    End If
    End Function
     
    SLH, Oct 2, 2006
    #1
    1. Advertising

  2. SLH

    Larry Bud Guest

    SLH wrote:
    > hi people. im trying to validate input received via a text area on an ASP
    > page before writing it to a database. i cant use client side javascript due
    > to policy, so it all has to happen on the server. here is what i was trying,
    > but pieces of it continue to break for one reason or another. the thinking
    > behind this function was like this:
    >
    > if the input is less than 10 characters long, fail.
    > if its 10 characters or greater, but it doesnt appear to contain any words,
    > fail. (i try this by breaking up the input at space characters into an
    > array. valid input should have several spaces, indicating several words)
    > if there are 3 consecutive spaces, fail. (this cant be valid).
    > then if all that passes, i need to make sure no words are longer than 10
    > characters. (by looping through the words in the array)
    >
    > different parts of this fail at different times. for instance if the data
    > has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
    > since there are too many moving parts here i was hoping someone else might
    > have a better approach to validating the input.
    > thanks for any help.


    Use regular expressions.
     
    Larry Bud, Oct 2, 2006
    #2
    1. Advertising

  3. SLH

    SLH Guest

    "Larry Bud" <> wrote in message
    news:...
    >
    > SLH wrote:
    >> hi people. im trying to validate input received via a text area on an ASP
    >> page before writing it to a database. i cant use client side javascript
    >> due
    >> to policy, so it all has to happen on the server. here is what i was
    >> trying,
    >> but pieces of it continue to break for one reason or another. the
    >> thinking
    >> behind this function was like this:
    >>
    >> if the input is less than 10 characters long, fail.
    >> if its 10 characters or greater, but it doesnt appear to contain any
    >> words,
    >> fail. (i try this by breaking up the input at space characters into an
    >> array. valid input should have several spaces, indicating several words)
    >> if there are 3 consecutive spaces, fail. (this cant be valid).
    >> then if all that passes, i need to make sure no words are longer than 10
    >> characters. (by looping through the words in the array)
    >>
    >> different parts of this fail at different times. for instance if the data
    >> has a newline, it fails (not sure why. is a newline looked at as 3
    >> spaces?)
    >> since there are too many moving parts here i was hoping someone else
    >> might
    >> have a better approach to validating the input.
    >> thanks for any help.

    >
    > Use regular expressions.
    >


    thanks, sounds great. i was kinda hoping for help though. maybe in the form
    of a good example? regular expressions arent exactly my strong point.
     
    SLH, Oct 2, 2006
    #3
  4. SLH

    Evertjan. Guest

    SLH wrote on 02 Oct 2006 in microsoft.public.inetserver.asp.general:

    >> Use regular expressions.
    >>

    >
    > thanks, sounds great. i was kinda hoping for help though. maybe in the
    > form of a good example? regular expressions arent exactly my strong
    > point.
    >


    We all had to learn.
    Ther best help is if you start of, and we go along.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Oct 2, 2006
    #4
  5. SLH

    SLH Guest

    thank you! here is what i have now:

    Function IsGoodInput(str)
    IsGoodInput = True
    Dim MyArray, i
    Do While InStr(str," ") > 0
    str = Replace(Trim(str)," "," ")
    Loop
    If Len(str) < 10 Or Len(str) > 1000 Then
    IsGoodInput = False
    Exit Function
    End if
    MyArray = Split(str, " ")
    If UBound(MyArray) = 0 Then
    IsGoodInput = False
    Exit Function
    Else
    For i = 0 To UBound(MyArray)
    If Len(MyArray(i)) > 10 Then
    IsGoodInput = False
    Exit Function
    End If
    Next
    End If
    End Function

    im tryng to see if/where this will fail and so far all i can see is that if
    i enter:

    line1
    line2

    it fails. i guess because there are no spaces. only a newline after the
    first word.
    can you see anything clever to fix it so that this input would be valid?






    "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    news:...
    > try this
    >
    >
    > Function IsGoodInput(str)
    >
    > IsGoodInput = True
    > Dim MyArray, i
    >
    > 'Remove double spaces
    > '----------------------------
    > Do
    > str = Replace(Trim(str)," "," ")
    > loop while Instr(str," ") > 0
    >
    > MyArray = Split(str, " ")
    >
    > 'check min length
    > ' if the input is less than 10 characters long, fail.
    > '---------------------------------------------------------------
    > If Len(str) < 10 Then
    > IsGoodInput = False
    > exit function
    > End if
    >
    > 'if its 10 characters or greater, but it doesnt appear to contain any
    > words,
    > 'fail. (i try this by breaking up the input at space characters into an
    > 'array. valid input should have several spaces, indicating several words)
    > '
    > 'make sure no words are longer than 10 characters. (?)
    > '(by looping through the words in the array)
    > '--------------------------------------------------------
    >
    > If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    > IsGoodInput = False
    > exit function
    > Else
    > For i = 0 To UBound(MyArray)
    > If Len(MyArray(i)) > 10 Then
    > IsGoodInput = False
    > exit function
    > End If
    > Next
    > End If
    > End Function
    >
    >
    > "SLH" <> wrote in message
    > news:...
    >> hi people. im trying to validate input received via a text area on an ASP
    >> page before writing it to a database. i cant use client side javascript
    >> due to policy, so it all has to happen on the server. here is what i was
    >> trying, but pieces of it continue to break for one reason or another. the
    >> thinking behind this function was like this:
    >>
    >> if the input is less than 10 characters long, fail.
    >> if its 10 characters or greater, but it doesnt appear to contain any
    >> words, fail. (i try this by breaking up the input at space characters
    >> into an array. valid input should have several spaces, indicating several
    >> words)
    >> if there are 3 consecutive spaces, fail. (this cant be valid).
    >> then if all that passes, i need to make sure no words are longer than 10
    >> characters. (by looping through the words in the array)
    >>
    >> different parts of this fail at different times. for instance if the data
    >> has a newline, it fails (not sure why. is a newline looked at as 3
    >> spaces?)
    >> since there are too many moving parts here i was hoping someone else
    >> might have a better approach to validating the input.
    >> thanks for any help.
    >>
    >>
    >> Function IsGoodInput(str)
    >> IsGoodInput = True
    >> Dim MyArray, i
    >> MyArray = Split(str, " ")
    >> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    >> IsGoodInput = False
    >> Else
    >> For i = 0 To UBound(MyArray)
    >> If Len(MyArray(i)) > 10 Then
    >> IsGoodInput = False
    >> Exit For
    >> End If
    >> Next
    >> End If
    >> End Function
    >>

    >
    >
     
    SLH, Oct 2, 2006
    #5
  6. SLH

    SLH Guest

    thank you.
    that wouldnt work because when i later write the data from the DB to the
    html page i need to preserver formatting, including newlines.
    its ok though. i realize that NO inpute will be valid without a space. so i
    should be ok.

    thanks for your help



    "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    news:...
    > replace(str, vbnewline," " )
    >
    >
    > "SLH" <> wrote in message
    > news:%...
    >> thank you! here is what i have now:
    >>
    >> Function IsGoodInput(str)
    >> IsGoodInput = True
    >> Dim MyArray, i
    >> Do While InStr(str," ") > 0
    >> str = Replace(Trim(str)," "," ")
    >> Loop
    >> If Len(str) < 10 Or Len(str) > 1000 Then
    >> IsGoodInput = False
    >> Exit Function
    >> End if
    >> MyArray = Split(str, " ")
    >> If UBound(MyArray) = 0 Then
    >> IsGoodInput = False
    >> Exit Function
    >> Else
    >> For i = 0 To UBound(MyArray)
    >> If Len(MyArray(i)) > 10 Then
    >> IsGoodInput = False
    >> Exit Function
    >> End If
    >> Next
    >> End If
    >> End Function
    >>
    >> im tryng to see if/where this will fail and so far all i can see is that
    >> if i enter:
    >>
    >> line1
    >> line2
    >>
    >> it fails. i guess because there are no spaces. only a newline after the
    >> first word.
    >> can you see anything clever to fix it so that this input would be valid?
    >>
    >>
    >>
    >>
    >>
    >>
    >> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >> news:...
    >>> try this
    >>>
    >>>
    >>> Function IsGoodInput(str)
    >>>
    >>> IsGoodInput = True
    >>> Dim MyArray, i
    >>>
    >>> 'Remove double spaces
    >>> '----------------------------
    >>> Do
    >>> str = Replace(Trim(str)," "," ")
    >>> loop while Instr(str," ") > 0
    >>>
    >>> MyArray = Split(str, " ")
    >>>
    >>> 'check min length
    >>> ' if the input is less than 10 characters long, fail.
    >>> '---------------------------------------------------------------
    >>> If Len(str) < 10 Then
    >>> IsGoodInput = False
    >>> exit function
    >>> End if
    >>>
    >>> 'if its 10 characters or greater, but it doesnt appear to contain any
    >>> words,
    >>> 'fail. (i try this by breaking up the input at space characters into an
    >>> 'array. valid input should have several spaces, indicating several
    >>> words)
    >>> '
    >>> 'make sure no words are longer than 10 characters. (?)
    >>> '(by looping through the words in the array)
    >>> '--------------------------------------------------------
    >>>
    >>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    >>> IsGoodInput = False
    >>> exit function
    >>> Else
    >>> For i = 0 To UBound(MyArray)
    >>> If Len(MyArray(i)) > 10 Then
    >>> IsGoodInput = False
    >>> exit function
    >>> End If
    >>> Next
    >>> End If
    >>> End Function
    >>>
    >>>
    >>> "SLH" <> wrote in message
    >>> news:...
    >>>> hi people. im trying to validate input received via a text area on an
    >>>> ASP page before writing it to a database. i cant use client side
    >>>> javascript due to policy, so it all has to happen on the server. here
    >>>> is what i was trying, but pieces of it continue to break for one reason
    >>>> or another. the thinking behind this function was like this:
    >>>>
    >>>> if the input is less than 10 characters long, fail.
    >>>> if its 10 characters or greater, but it doesnt appear to contain any
    >>>> words, fail. (i try this by breaking up the input at space characters
    >>>> into an array. valid input should have several spaces, indicating
    >>>> several words)
    >>>> if there are 3 consecutive spaces, fail. (this cant be valid).
    >>>> then if all that passes, i need to make sure no words are longer than
    >>>> 10 characters. (by looping through the words in the array)
    >>>>
    >>>> different parts of this fail at different times. for instance if the
    >>>> data has a newline, it fails (not sure why. is a newline looked at as 3
    >>>> spaces?)
    >>>> since there are too many moving parts here i was hoping someone else
    >>>> might have a better approach to validating the input.
    >>>> thanks for any help.
    >>>>
    >>>>
    >>>> Function IsGoodInput(str)
    >>>> IsGoodInput = True
    >>>> Dim MyArray, i
    >>>> MyArray = Split(str, " ")
    >>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    >>>> IsGoodInput = False
    >>>> Else
    >>>> For i = 0 To UBound(MyArray)
    >>>> If Len(MyArray(i)) > 10 Then
    >>>> IsGoodInput = False
    >>>> Exit For
    >>>> End If
    >>>> Next
    >>>> End If
    >>>> End Function
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    SLH, Oct 2, 2006
    #6
  7. SLH

    SLH Guest

    hey i have to duplicate this function in javascript. the only part im
    struggling with is the following:

    Do While InStr(str," ") > 0
    str = Replace(Trim(str)," "," ")
    Loop

    the javascript replace function sucks. it only replaces the first occurence
    of what youre looking for.... any ideas?




    "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    news:...
    > assign str to tempStr then validate - if ok, then save str
    >
    >
    > "SLH" <> wrote in message
    > news:...
    >> thank you.
    >> that wouldnt work because when i later write the data from the DB to the
    >> html page i need to preserver formatting, including newlines.
    >> its ok though. i realize that NO inpute will be valid without a space. so
    >> i should be ok.
    >>
    >> thanks for your help
    >>
    >>
    >>
    >> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >> news:...
    >>> replace(str, vbnewline," " )
    >>>
    >>>
    >>> "SLH" <> wrote in message
    >>> news:%...
    >>>> thank you! here is what i have now:
    >>>>
    >>>> Function IsGoodInput(str)
    >>>> IsGoodInput = True
    >>>> Dim MyArray, i
    >>>> Do While InStr(str," ") > 0
    >>>> str = Replace(Trim(str)," "," ")
    >>>> Loop
    >>>> If Len(str) < 10 Or Len(str) > 1000 Then
    >>>> IsGoodInput = False
    >>>> Exit Function
    >>>> End if
    >>>> MyArray = Split(str, " ")
    >>>> If UBound(MyArray) = 0 Then
    >>>> IsGoodInput = False
    >>>> Exit Function
    >>>> Else
    >>>> For i = 0 To UBound(MyArray)
    >>>> If Len(MyArray(i)) > 10 Then
    >>>> IsGoodInput = False
    >>>> Exit Function
    >>>> End If
    >>>> Next
    >>>> End If
    >>>> End Function
    >>>>
    >>>> im tryng to see if/where this will fail and so far all i can see is
    >>>> that if i enter:
    >>>>
    >>>> line1
    >>>> line2
    >>>>
    >>>> it fails. i guess because there are no spaces. only a newline after the
    >>>> first word.
    >>>> can you see anything clever to fix it so that this input would be
    >>>> valid?
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>>> news:...
    >>>>> try this
    >>>>>
    >>>>>
    >>>>> Function IsGoodInput(str)
    >>>>>
    >>>>> IsGoodInput = True
    >>>>> Dim MyArray, i
    >>>>>
    >>>>> 'Remove double spaces
    >>>>> '----------------------------
    >>>>> Do
    >>>>> str = Replace(Trim(str)," "," ")
    >>>>> loop while Instr(str," ") > 0
    >>>>>
    >>>>> MyArray = Split(str, " ")
    >>>>>
    >>>>> 'check min length
    >>>>> ' if the input is less than 10 characters long, fail.
    >>>>> '---------------------------------------------------------------
    >>>>> If Len(str) < 10 Then
    >>>>> IsGoodInput = False
    >>>>> exit function
    >>>>> End if
    >>>>>
    >>>>> 'if its 10 characters or greater, but it doesnt appear to contain any
    >>>>> words,
    >>>>> 'fail. (i try this by breaking up the input at space characters into
    >>>>> an
    >>>>> 'array. valid input should have several spaces, indicating several
    >>>>> words)
    >>>>> '
    >>>>> 'make sure no words are longer than 10 characters. (?)
    >>>>> '(by looping through the words in the array)
    >>>>> '--------------------------------------------------------
    >>>>>
    >>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>> Then
    >>>>> IsGoodInput = False
    >>>>> exit function
    >>>>> Else
    >>>>> For i = 0 To UBound(MyArray)
    >>>>> If Len(MyArray(i)) > 10 Then
    >>>>> IsGoodInput = False
    >>>>> exit function
    >>>>> End If
    >>>>> Next
    >>>>> End If
    >>>>> End Function
    >>>>>
    >>>>>
    >>>>> "SLH" <> wrote in message
    >>>>> news:...
    >>>>>> hi people. im trying to validate input received via a text area on an
    >>>>>> ASP page before writing it to a database. i cant use client side
    >>>>>> javascript due to policy, so it all has to happen on the server. here
    >>>>>> is what i was trying, but pieces of it continue to break for one
    >>>>>> reason or another. the thinking behind this function was like this:
    >>>>>>
    >>>>>> if the input is less than 10 characters long, fail.
    >>>>>> if its 10 characters or greater, but it doesnt appear to contain any
    >>>>>> words, fail. (i try this by breaking up the input at space characters
    >>>>>> into an array. valid input should have several spaces, indicating
    >>>>>> several words)
    >>>>>> if there are 3 consecutive spaces, fail. (this cant be valid).
    >>>>>> then if all that passes, i need to make sure no words are longer than
    >>>>>> 10 characters. (by looping through the words in the array)
    >>>>>>
    >>>>>> different parts of this fail at different times. for instance if the
    >>>>>> data has a newline, it fails (not sure why. is a newline looked at as
    >>>>>> 3 spaces?)
    >>>>>> since there are too many moving parts here i was hoping someone else
    >>>>>> might have a better approach to validating the input.
    >>>>>> thanks for any help.
    >>>>>>
    >>>>>>
    >>>>>> Function IsGoodInput(str)
    >>>>>> IsGoodInput = True
    >>>>>> Dim MyArray, i
    >>>>>> MyArray = Split(str, " ")
    >>>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>>> Then
    >>>>>> IsGoodInput = False
    >>>>>> Else
    >>>>>> For i = 0 To UBound(MyArray)
    >>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>> IsGoodInput = False
    >>>>>> Exit For
    >>>>>> End If
    >>>>>> Next
    >>>>>> End If
    >>>>>> End Function
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    SLH, Oct 2, 2006
    #7
  8. SLH

    Victor Guest

    In addition to suggestions here, I'd also check to see if the strings "<%" or "%>" are
    in the input, and if it is, invalidate the input and ban the IP address.

    Of course, you'll want to set up the test strings like this:
    strBad1 = "<" & "%"
    strBad2 = "%" & ">"

    After that, see if the characters "<" or ">" are in the string, and if it is, invalidate
    the input.



    "SLH" <> wrote in message news:...
    > hi people. im trying to validate input received via a text area on an ASP
    > page before writing it to a database. i cant use client side javascript due
    > to policy, so it all has to happen on the server. here is what i was trying,
    > but pieces of it continue to break for one reason or another. the thinking
    > behind this function was like this:
    >
    > if the input is less than 10 characters long, fail.
    > if its 10 characters or greater, but it doesnt appear to contain any words,
    > fail. (i try this by breaking up the input at space characters into an
    > array. valid input should have several spaces, indicating several words)
    > if there are 3 consecutive spaces, fail. (this cant be valid).
    > then if all that passes, i need to make sure no words are longer than 10
    > characters. (by looping through the words in the array)
    >
    > different parts of this fail at different times. for instance if the data
    > has a newline, it fails (not sure why. is a newline looked at as 3 spaces?)
    > since there are too many moving parts here i was hoping someone else might
    > have a better approach to validating the input.
    > thanks for any help.
    >
    >
    > Function IsGoodInput(str)
    > IsGoodInput = True
    > Dim MyArray, i
    > MyArray = Split(str, " ")
    > If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    > IsGoodInput = False
    > Else
    > For i = 0 To UBound(MyArray)
    > If Len(MyArray(i)) > 10 Then
    > IsGoodInput = False
    > Exit For
    > End If
    > Next
    > End If
    > End Function
    >
    >
     
    Victor, Oct 2, 2006
    #8
  9. SLH

    SLH Guest

    almost... but that only makes one pass at the string.
    so if there are 4 spaces, it replaces that with 2 spaces, but then leaves it
    alone.
    i somehow have to continue to loop through the string while there are 2
    spaces in a row... just like the VBS one.

    im going to go play, but do you have any ideas?




    "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    news:...
    > http://www.tizag.com/javascriptT/javascript-string-replace.php
    >
    > "SLH" <> wrote in message
    > news:%...
    >> hey i have to duplicate this function in javascript. the only part im
    >> struggling with is the following:
    >>
    >> Do While InStr(str," ") > 0
    >> str = Replace(Trim(str)," "," ")
    >> Loop
    >>
    >> the javascript replace function sucks. it only replaces the first
    >> occurence of what youre looking for.... any ideas?
    >>
    >>
    >>
    >>
    >> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >> news:...
    >>> assign str to tempStr then validate - if ok, then save str
    >>>
    >>>
    >>> "SLH" <> wrote in message
    >>> news:...
    >>>> thank you.
    >>>> that wouldnt work because when i later write the data from the DB to
    >>>> the html page i need to preserver formatting, including newlines.
    >>>> its ok though. i realize that NO inpute will be valid without a space.
    >>>> so i should be ok.
    >>>>
    >>>> thanks for your help
    >>>>
    >>>>
    >>>>
    >>>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>>> news:...
    >>>>> replace(str, vbnewline," " )
    >>>>>
    >>>>>
    >>>>> "SLH" <> wrote in message
    >>>>> news:%...
    >>>>>> thank you! here is what i have now:
    >>>>>>
    >>>>>> Function IsGoodInput(str)
    >>>>>> IsGoodInput = True
    >>>>>> Dim MyArray, i
    >>>>>> Do While InStr(str," ") > 0
    >>>>>> str = Replace(Trim(str)," "," ")
    >>>>>> Loop
    >>>>>> If Len(str) < 10 Or Len(str) > 1000 Then
    >>>>>> IsGoodInput = False
    >>>>>> Exit Function
    >>>>>> End if
    >>>>>> MyArray = Split(str, " ")
    >>>>>> If UBound(MyArray) = 0 Then
    >>>>>> IsGoodInput = False
    >>>>>> Exit Function
    >>>>>> Else
    >>>>>> For i = 0 To UBound(MyArray)
    >>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>> IsGoodInput = False
    >>>>>> Exit Function
    >>>>>> End If
    >>>>>> Next
    >>>>>> End If
    >>>>>> End Function
    >>>>>>
    >>>>>> im tryng to see if/where this will fail and so far all i can see is
    >>>>>> that if i enter:
    >>>>>>
    >>>>>> line1
    >>>>>> line2
    >>>>>>
    >>>>>> it fails. i guess because there are no spaces. only a newline after
    >>>>>> the first word.
    >>>>>> can you see anything clever to fix it so that this input would be
    >>>>>> valid?
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>>>>> news:...
    >>>>>>> try this
    >>>>>>>
    >>>>>>>
    >>>>>>> Function IsGoodInput(str)
    >>>>>>>
    >>>>>>> IsGoodInput = True
    >>>>>>> Dim MyArray, i
    >>>>>>>
    >>>>>>> 'Remove double spaces
    >>>>>>> '----------------------------
    >>>>>>> Do
    >>>>>>> str = Replace(Trim(str)," "," ")
    >>>>>>> loop while Instr(str," ") > 0
    >>>>>>>
    >>>>>>> MyArray = Split(str, " ")
    >>>>>>>
    >>>>>>> 'check min length
    >>>>>>> ' if the input is less than 10 characters long, fail.
    >>>>>>> '---------------------------------------------------------------
    >>>>>>> If Len(str) < 10 Then
    >>>>>>> IsGoodInput = False
    >>>>>>> exit function
    >>>>>>> End if
    >>>>>>>
    >>>>>>> 'if its 10 characters or greater, but it doesnt appear to contain
    >>>>>>> any words,
    >>>>>>> 'fail. (i try this by breaking up the input at space characters into
    >>>>>>> an
    >>>>>>> 'array. valid input should have several spaces, indicating several
    >>>>>>> words)
    >>>>>>> '
    >>>>>>> 'make sure no words are longer than 10 characters. (?)
    >>>>>>> '(by looping through the words in the array)
    >>>>>>> '--------------------------------------------------------
    >>>>>>>
    >>>>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>>>> Then
    >>>>>>> IsGoodInput = False
    >>>>>>> exit function
    >>>>>>> Else
    >>>>>>> For i = 0 To UBound(MyArray)
    >>>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>>> IsGoodInput = False
    >>>>>>> exit function
    >>>>>>> End If
    >>>>>>> Next
    >>>>>>> End If
    >>>>>>> End Function
    >>>>>>>
    >>>>>>>
    >>>>>>> "SLH" <> wrote in message
    >>>>>>> news:...
    >>>>>>>> hi people. im trying to validate input received via a text area on
    >>>>>>>> an ASP page before writing it to a database. i cant use client side
    >>>>>>>> javascript due to policy, so it all has to happen on the server.
    >>>>>>>> here is what i was trying, but pieces of it continue to break for
    >>>>>>>> one reason or another. the thinking behind this function was like
    >>>>>>>> this:
    >>>>>>>>
    >>>>>>>> if the input is less than 10 characters long, fail.
    >>>>>>>> if its 10 characters or greater, but it doesnt appear to contain
    >>>>>>>> any words, fail. (i try this by breaking up the input at space
    >>>>>>>> characters into an array. valid input should have several spaces,
    >>>>>>>> indicating several words)
    >>>>>>>> if there are 3 consecutive spaces, fail. (this cant be valid).
    >>>>>>>> then if all that passes, i need to make sure no words are longer
    >>>>>>>> than 10 characters. (by looping through the words in the array)
    >>>>>>>>
    >>>>>>>> different parts of this fail at different times. for instance if
    >>>>>>>> the data has a newline, it fails (not sure why. is a newline looked
    >>>>>>>> at as 3 spaces?)
    >>>>>>>> since there are too many moving parts here i was hoping someone
    >>>>>>>> else might have a better approach to validating the input.
    >>>>>>>> thanks for any help.
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> Function IsGoodInput(str)
    >>>>>>>> IsGoodInput = True
    >>>>>>>> Dim MyArray, i
    >>>>>>>> MyArray = Split(str, " ")
    >>>>>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>>>>> Then
    >>>>>>>> IsGoodInput = False
    >>>>>>>> Else
    >>>>>>>> For i = 0 To UBound(MyArray)
    >>>>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>>>> IsGoodInput = False
    >>>>>>>> Exit For
    >>>>>>>> End If
    >>>>>>>> Next
    >>>>>>>> End If
    >>>>>>>> End Function
    >>>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    SLH, Oct 3, 2006
    #9
  10. SLH

    SLH Guest

    if i HHTPEncode the string before i write it to the database, that should
    take care of that... no?




    "Victor" <> wrote in message
    news:...
    > In addition to suggestions here, I'd also check to see if the strings "<%"
    > or "%>" are
    > in the input, and if it is, invalidate the input and ban the IP address.
    >
    > Of course, you'll want to set up the test strings like this:
    > strBad1 = "<" & "%"
    > strBad2 = "%" & ">"
    >
    > After that, see if the characters "<" or ">" are in the string, and if it
    > is, invalidate
    > the input.
    >
    >
    >
    > "SLH" <> wrote in message
    > news:...
    >> hi people. im trying to validate input received via a text area on an ASP
    >> page before writing it to a database. i cant use client side javascript
    >> due
    >> to policy, so it all has to happen on the server. here is what i was
    >> trying,
    >> but pieces of it continue to break for one reason or another. the
    >> thinking
    >> behind this function was like this:
    >>
    >> if the input is less than 10 characters long, fail.
    >> if its 10 characters or greater, but it doesnt appear to contain any
    >> words,
    >> fail. (i try this by breaking up the input at space characters into an
    >> array. valid input should have several spaces, indicating several words)
    >> if there are 3 consecutive spaces, fail. (this cant be valid).
    >> then if all that passes, i need to make sure no words are longer than 10
    >> characters. (by looping through the words in the array)
    >>
    >> different parts of this fail at different times. for instance if the data
    >> has a newline, it fails (not sure why. is a newline looked at as 3
    >> spaces?)
    >> since there are too many moving parts here i was hoping someone else
    >> might
    >> have a better approach to validating the input.
    >> thanks for any help.
    >>
    >>
    >> Function IsGoodInput(str)
    >> IsGoodInput = True
    >> Dim MyArray, i
    >> MyArray = Split(str, " ")
    >> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0 Then
    >> IsGoodInput = False
    >> Else
    >> For i = 0 To UBound(MyArray)
    >> If Len(MyArray(i)) > 10 Then
    >> IsGoodInput = False
    >> Exit For
    >> End If
    >> Next
    >> End If
    >> End Function
    >>
    >>

    >
    >
     
    SLH, Oct 3, 2006
    #10
  11. SLH

    SLH Guest

    this seems to work nicely:

    function replaceall(str, lookfor, changeto) {
    str = str.replace(/^\s*|\s*$/g,""); //trim leading and trailing spaces
    first
    var temp = str;
    var i = temp.indexOf(lookfor);
    while(i > -1) {
    temp = temp.replace(lookfor, changeto);
    i = temp.indexOf(lookfor);
    }
    return temp;
    }




    "SLH" <> wrote in message
    news:...
    > almost... but that only makes one pass at the string.
    > so if there are 4 spaces, it replaces that with 2 spaces, but then leaves
    > it alone.
    > i somehow have to continue to loop through the string while there are 2
    > spaces in a row... just like the VBS one.
    >
    > im going to go play, but do you have any ideas?
    >
    >
    >
    >
    > "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    > news:...
    >> http://www.tizag.com/javascriptT/javascript-string-replace.php
    >>
    >> "SLH" <> wrote in message
    >> news:%...
    >>> hey i have to duplicate this function in javascript. the only part im
    >>> struggling with is the following:
    >>>
    >>> Do While InStr(str," ") > 0
    >>> str = Replace(Trim(str)," "," ")
    >>> Loop
    >>>
    >>> the javascript replace function sucks. it only replaces the first
    >>> occurence of what youre looking for.... any ideas?
    >>>
    >>>
    >>>
    >>>
    >>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>> news:...
    >>>> assign str to tempStr then validate - if ok, then save str
    >>>>
    >>>>
    >>>> "SLH" <> wrote in message
    >>>> news:...
    >>>>> thank you.
    >>>>> that wouldnt work because when i later write the data from the DB to
    >>>>> the html page i need to preserver formatting, including newlines.
    >>>>> its ok though. i realize that NO inpute will be valid without a space.
    >>>>> so i should be ok.
    >>>>>
    >>>>> thanks for your help
    >>>>>
    >>>>>
    >>>>>
    >>>>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>>>> news:...
    >>>>>> replace(str, vbnewline," " )
    >>>>>>
    >>>>>>
    >>>>>> "SLH" <> wrote in message
    >>>>>> news:%...
    >>>>>>> thank you! here is what i have now:
    >>>>>>>
    >>>>>>> Function IsGoodInput(str)
    >>>>>>> IsGoodInput = True
    >>>>>>> Dim MyArray, i
    >>>>>>> Do While InStr(str," ") > 0
    >>>>>>> str = Replace(Trim(str)," "," ")
    >>>>>>> Loop
    >>>>>>> If Len(str) < 10 Or Len(str) > 1000 Then
    >>>>>>> IsGoodInput = False
    >>>>>>> Exit Function
    >>>>>>> End if
    >>>>>>> MyArray = Split(str, " ")
    >>>>>>> If UBound(MyArray) = 0 Then
    >>>>>>> IsGoodInput = False
    >>>>>>> Exit Function
    >>>>>>> Else
    >>>>>>> For i = 0 To UBound(MyArray)
    >>>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>>> IsGoodInput = False
    >>>>>>> Exit Function
    >>>>>>> End If
    >>>>>>> Next
    >>>>>>> End If
    >>>>>>> End Function
    >>>>>>>
    >>>>>>> im tryng to see if/where this will fail and so far all i can see is
    >>>>>>> that if i enter:
    >>>>>>>
    >>>>>>> line1
    >>>>>>> line2
    >>>>>>>
    >>>>>>> it fails. i guess because there are no spaces. only a newline after
    >>>>>>> the first word.
    >>>>>>> can you see anything clever to fix it so that this input would be
    >>>>>>> valid?
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> "Jon Paal" <Jon nospam Paal @ everywhere dot com> wrote in message
    >>>>>>> news:...
    >>>>>>>> try this
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> Function IsGoodInput(str)
    >>>>>>>>
    >>>>>>>> IsGoodInput = True
    >>>>>>>> Dim MyArray, i
    >>>>>>>>
    >>>>>>>> 'Remove double spaces
    >>>>>>>> '----------------------------
    >>>>>>>> Do
    >>>>>>>> str = Replace(Trim(str)," "," ")
    >>>>>>>> loop while Instr(str," ") > 0
    >>>>>>>>
    >>>>>>>> MyArray = Split(str, " ")
    >>>>>>>>
    >>>>>>>> 'check min length
    >>>>>>>> ' if the input is less than 10 characters long, fail.
    >>>>>>>> '---------------------------------------------------------------
    >>>>>>>> If Len(str) < 10 Then
    >>>>>>>> IsGoodInput = False
    >>>>>>>> exit function
    >>>>>>>> End if
    >>>>>>>>
    >>>>>>>> 'if its 10 characters or greater, but it doesnt appear to contain
    >>>>>>>> any words,
    >>>>>>>> 'fail. (i try this by breaking up the input at space characters
    >>>>>>>> into an
    >>>>>>>> 'array. valid input should have several spaces, indicating several
    >>>>>>>> words)
    >>>>>>>> '
    >>>>>>>> 'make sure no words are longer than 10 characters. (?)
    >>>>>>>> '(by looping through the words in the array)
    >>>>>>>> '--------------------------------------------------------
    >>>>>>>>
    >>>>>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>>>>> Then
    >>>>>>>> IsGoodInput = False
    >>>>>>>> exit function
    >>>>>>>> Else
    >>>>>>>> For i = 0 To UBound(MyArray)
    >>>>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>>>> IsGoodInput = False
    >>>>>>>> exit function
    >>>>>>>> End If
    >>>>>>>> Next
    >>>>>>>> End If
    >>>>>>>> End Function
    >>>>>>>>
    >>>>>>>>
    >>>>>>>> "SLH" <> wrote in message
    >>>>>>>> news:...
    >>>>>>>>> hi people. im trying to validate input received via a text area on
    >>>>>>>>> an ASP page before writing it to a database. i cant use client
    >>>>>>>>> side javascript due to policy, so it all has to happen on the
    >>>>>>>>> server. here is what i was trying, but pieces of it continue to
    >>>>>>>>> break for one reason or another. the thinking behind this function
    >>>>>>>>> was like this:
    >>>>>>>>>
    >>>>>>>>> if the input is less than 10 characters long, fail.
    >>>>>>>>> if its 10 characters or greater, but it doesnt appear to contain
    >>>>>>>>> any words, fail. (i try this by breaking up the input at space
    >>>>>>>>> characters into an array. valid input should have several spaces,
    >>>>>>>>> indicating several words)
    >>>>>>>>> if there are 3 consecutive spaces, fail. (this cant be valid).
    >>>>>>>>> then if all that passes, i need to make sure no words are longer
    >>>>>>>>> than 10 characters. (by looping through the words in the array)
    >>>>>>>>>
    >>>>>>>>> different parts of this fail at different times. for instance if
    >>>>>>>>> the data has a newline, it fails (not sure why. is a newline
    >>>>>>>>> looked at as 3 spaces?)
    >>>>>>>>> since there are too many moving parts here i was hoping someone
    >>>>>>>>> else might have a better approach to validating the input.
    >>>>>>>>> thanks for any help.
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>> Function IsGoodInput(str)
    >>>>>>>>> IsGoodInput = True
    >>>>>>>>> Dim MyArray, i
    >>>>>>>>> MyArray = Split(str, " ")
    >>>>>>>>> If Len(str) < 10 Or InStr(str, " ") <> 0 Or UBound(MyArray) = 0
    >>>>>>>>> Then
    >>>>>>>>> IsGoodInput = False
    >>>>>>>>> Else
    >>>>>>>>> For i = 0 To UBound(MyArray)
    >>>>>>>>> If Len(MyArray(i)) > 10 Then
    >>>>>>>>> IsGoodInput = False
    >>>>>>>>> Exit For
    >>>>>>>>> End If
    >>>>>>>>> Next
    >>>>>>>>> End If
    >>>>>>>>> End Function
    >>>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    SLH, Oct 3, 2006
    #11
  12. Victor wrote:
    > In addition to suggestions here, I'd also check to see if
    > the strings "<%" or "%>" are in the input, and if it is,
    > invalidate the input and ban the IP address.


    That's just plain stupid.

    For one thing, you imply that the server will somehow respond to the text as
    though it should switch context and execute the contents. This is UTTERLY
    without merit. It cannot happen because the script is parsed *before* it is
    interpreted. Context blocks are already determined before those strings are
    ever encountered.

    Secondly, you imply that there is no legitimate reason to use those
    character sequences while simultaneously using those character sequences to
    make your "suggestion". This is pure hypocrisy.

    Lastly, you cannot effectively ban a user by "banning the IP address".
    Besides introducing a hurdle for anyone behind the same proxy as your
    "offender", you assume the user has a static address.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
     
    Dave Anderson, Oct 3, 2006
    #12
  13. SLH wrote:
    > if i HHTPEncode the string before i write it to the
    > database, that should take care of that... no?


    You mean HTMLEncode?

    In my opinion (and in my shop), it is preferable to store the input AS
    ENTERED. This leads to the decision of what is allowable. If we decide to
    allow free-form text, we always *diaplay* that text with
    Server.HTMLEncode().

    If not, we audit the input for format compatibility and reject it when it
    does not fit. That way, our database always reflects *EXACTLY* what the user
    submitted.

    Among other things, this makes searching more accurate and abbreviates the
    need to perform stupid "compatibility" validation. It also makes our
    processes more rubust, since this approach does not permit us to take
    shortcuts on security.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
     
    Dave Anderson, Oct 3, 2006
    #13
  14. SLH

    SLH Guest

    thanks Dave.

    so youre saying validate the input when submitted, write it to the database
    AS IS, then Server.HTMLEncode as i pull it FROM the database to display on
    the page?



    "Dave Anderson" <> wrote in message
    news:...
    > Victor wrote:
    >> In addition to suggestions here, I'd also check to see if
    >> the strings "<%" or "%>" are in the input, and if it is,
    >> invalidate the input and ban the IP address.

    >
    > That's just plain stupid.
    >
    > For one thing, you imply that the server will somehow respond to the text
    > as though it should switch context and execute the contents. This is
    > UTTERLY without merit. It cannot happen because the script is parsed
    > *before* it is interpreted. Context blocks are already determined before
    > those strings are ever encountered.
    >
    > Secondly, you imply that there is no legitimate reason to use those
    > character sequences while simultaneously using those character sequences
    > to make your "suggestion". This is pure hypocrisy.
    >
    > Lastly, you cannot effectively ban a user by "banning the IP address".
    > Besides introducing a hurdle for anyone behind the same proxy as your
    > "offender", you assume the user has a static address.
    >
    >
    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message.
    > Use of this email address implies consent to these terms.
    >
     
    SLH, Oct 3, 2006
    #14
  15. SLH wrote:
    > thanks Dave.
    >
    > so youre saying validate the input when submitted, write it to
    > the database AS IS, then Server.HTMLEncode as i pull it FROM
    > the database to display on the page?


    Mostly, yes.

    If your validation PRECLUDES the possibility of unwanted characters, then
    HTMLEncode might be considered superfluous. I would certainly not criticize
    you for using it anyway.

    I am also saying that by using the right approach, you can limit your
    validation to something as little as string length (since your DB field
    almost certainly requires you to chaeck for that).

    The decision to forego validation DOES mean you must protect yourself from
    SQL injection, however. This is best done with parametrized stored
    procedures, IMO. It is also fairly convenient to use the
    SP-as-method-of-connection technique when inserting the data, though it is
    not always possible.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms.
     
    Dave Anderson, Oct 3, 2006
    #15
  16. SLH

    SLH Guest

    "Dave Anderson" <> wrote in message
    news:%231g$...
    > SLH wrote:
    >> thanks Dave.
    >>
    >> so youre saying validate the input when submitted, write it to
    >> the database AS IS, then Server.HTMLEncode as i pull it FROM
    >> the database to display on the page?

    >
    > Mostly, yes.
    >
    > If your validation PRECLUDES the possibility of unwanted characters, then
    > HTMLEncode might be considered superfluous. I would certainly not
    > criticize you for using it anyway.


    i have a field where it could be perfectly valid to submit "<%" or "%>" for
    example.
    since i would want to allow this input, how would you recommend i go about
    the whole thing to make it as sound as possible?



    >
    > I am also saying that by using the right approach, you can limit your
    > validation to something as little as string length (since your DB field
    > almost certainly requires you to chaeck for that).
    >
    > The decision to forego validation DOES mean you must protect yourself from
    > SQL injection, however. This is best done with parametrized stored
    > procedures, IMO. It is also fairly convenient to use the
    > SP-as-method-of-connection technique when inserting the data, though it is
    > not always possible.
    >
    >
    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message.
    > Use of this email address implies consent to these terms.
    >
     
    SLH, Oct 3, 2006
    #16
  17. SLH

    SLH Guest

    "Dave Anderson" <> wrote in message
    news:...
    > SLH wrote:
    >> i have a field where it could be perfectly valid to
    >> submit "<%" or "%>" for example.
    >> since i would want to allow this input, how would you
    >> recommend i go about the whole thing to make it as sound
    >> as possible?

    >
    > Well, the display is a solved problem: Server.HTMLEncode().
    >
    > As for storing it in a database, that dpends on the database. What are you
    > using?
    >
    >


    its Access for now. couldnt i just store it in the database as is then
    HTMLEncode as its coming out to be displayed?
    hope so because thats how it is as of now




    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message.
    > Use of this email address implies consent to these terms.
    >
     
    SLH, Oct 3, 2006
    #17
  18. SLH

    SLH Guest

    "Dave Anderson" <> wrote in message
    news:...
    > SLH wrote:
    >>> As for storing it in a database, that dpends on the database.
    >>> What are you using?

    >>
    >> its Access for now. couldnt i just store it in the database as
    >> is then HTMLEncode as its coming out to be displayed?
    >> hope so because thats how it is as of now

    >
    > Yes. That is precisely what I would do.
    >
    > However, I haven't got a clue about preventing SQL injection in Access,
    > since it does not have stored procedures. I suppose you can just escape
    > your single quotes, but that's just a swing in the dark.
    >
    >


    Access does in fact have stored procedures. im using them for some pages but
    not others.
    where i dont use them i replace single quotes with 2 single quotes

    thanks for your help




    >
    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message.
    > Use of this email address implies consent to these terms.
    >
     
    SLH, Oct 4, 2006
    #18
  19. SLH

    Mike Brind Guest

    "Dave Anderson" <> wrote in message
    news:...
    > SLH wrote:


    >
    > However, I haven't got a clue about preventing SQL injection in Access,
    > since it does not have stored procedures.



    It's very similar to how you would do it in SQL Server. Instead of a stored
    procedure, you create a saved query. However, saved queries are just that -
    saved individual sql statements, with parameters if you want. You would
    call them in exactly the same way as with stored procs:

    conn.qMySavedQuery parm1, parm2, parm3...

    Access 2003 will even let you use similar syntax to SQL Server:

    CREATE PROCEDURE qMySavedQuery
    AS
    INSERT INTO tbl
    (
    fld1,
    fld2,
    fld3
    )
    VALUES
    (
    @textvalue1,
    @textvalue2,
    @textvalue3
    )

    You don't declare the parameters or give there datatypes. Older versions of
    Access will automatically surround parameter markers with [ ] brackets, and
    some silly things go on if you open the query in design view. But, for
    Access users, they are as effective against SQL Injection as stored procs in
    SQL Server.

    --
    Mike Brind
     
    Mike Brind, Oct 4, 2006
    #19
  20. Dave Anderson wrote:
    > SLH wrote:
    >>> As for storing it in a database, that dpends on the database.
    >>> What are you using?

    >>
    >> its Access for now. couldnt i just store it in the database as
    >> is then HTMLEncode as its coming out to be displayed?
    >> hope so because thats how it is as of now

    >
    > Yes. That is precisely what I would do.
    >
    > However, I haven't got a clue about preventing SQL injection in
    > Access, since it does not have stored procedures.


    That's not relevant. SQL Injection can occur in SQL Server even (especially)
    when stored procedures are not being used. Any application that uses dynamic
    sql instead of parameters is vulnerable to injection. Preventing injection
    for Jet involves the same techniques as preveinting it for SQL Server: it
    all boils down to: don't use concatenation to insert user inputs into sql
    statements; use parameters.

    > I suppose you can
    > just escape your single quotes, but that's just a swing in the dark.


    While this will certainly be more effective with Jet than for SQL Server,
    using parameters will prvent any loopholes.

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Oct 4, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jordan S
    Replies:
    3
    Views:
    5,273
    bruce barker
    Dec 11, 2004
  2. Al Camp

    Circle bullet in Bullet Style

    Al Camp, Jul 30, 2005, in forum: HTML
    Replies:
    24
    Views:
    12,355
    Al Camp
    Jul 31, 2005
  3. Doug Gray
    Replies:
    4
    Views:
    368
    Doug Gray
    Mar 20, 2007
  4. John Kelly

    trim whitespace, bullet proof version

    John Kelly, Aug 21, 2010, in forum: C Programming
    Replies:
    63
    Views:
    1,408
    James
    Aug 27, 2010
  5. Dave Ello

    Help pls - need to NS-proof some code!

    Dave Ello, Nov 28, 2003, in forum: Javascript
    Replies:
    2
    Views:
    112
    Dave Ello
    Nov 28, 2003
Loading...

Share This Page