Trapping Single Quotation Mark

Discussion in 'ASP General' started by M P, Nov 24, 2005.

  1. M P

    M P Guest

    Hi!

    I am looking for a way that I can trap the single quotation mark. If an
    encoder uses single quotation mark on a textbox field, it always give me an
    error because I use single quotes on the SQL statement. Can you help trap
    this character not to produce error?

    Me
    M P, Nov 24, 2005
    #1
    1. Advertising

  2. M P

    Evertjan. Guest

    M P wrote on 24 nov 2005 in microsoft.public.inetserver.asp.general:

    > I am looking for a way that I can trap the single quotation mark. If
    > an encoder uses single quotation mark on a textbox field, it always
    > give me an error because I use single quotes on the SQL statement. Can
    > you help trap this character not to produce error?
    >


    t = replace(t, "'","`")

    btw, the single quote/apostrophe won't ALWAYS give you an error.
    Not when used by a hacker to gain entry to your server.

    --
    Evertjan.
    The Netherlands.
    (Replace all crosses with dots in my emailaddress)
    Evertjan., Nov 24, 2005
    #2
    1. Advertising

  3. M P wrote:
    > Hi!
    >
    > I am looking for a way that I can trap the single quotation mark. If
    > an encoder uses single quotation mark on a textbox field, it always
    > give me an error because I use single quotes on the SQL statement.
    > Can you help trap this character not to produce error?
    >
    > Me

    The (to me) simple answer is to stop using dynamic sql and start using
    parameters.
    Either via saved parameter queries (Access):
    http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=

    http://groups.google.com/groups?hl=...=1&selm=

    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd

    Stored procedures (SQL Server):
    http://tinyurl.com/jyy0

    or, if you can't bring yourself to try either of the above, via an explicit
    Command object used to pass parameters to a string containing ODBC parameter
    markers:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    The explanation for Evertjian's "hackers" remark can be found here:
    http://mvp.unixwiz.net/techtips/sql-injection.html
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23


    Bob Barrows

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
    Bob Barrows [MVP], Nov 24, 2005
    #3
  4. M P

    MyndPhlyp Guest

    "M P" <> wrote in message
    news:edXC$...
    > Hi!
    >
    > I am looking for a way that I can trap the single quotation mark. If an
    > encoder uses single quotation mark on a textbox field, it always give me

    an
    > error because I use single quotes on the SQL statement. Can you help trap
    > this character not to produce error?


    Two general rules of thumb:

    * Test for what is allowed rather than what is not allowed.
    * Use parameterized SQL.

    Walk the string, character by character, testing for allowed characters. For
    example:

    Function IsGoodString(ByVal str)
    Const strGoodChars = "abcdABCD0123" ' Allowed chars
    Dim C
    Dim I
    IsGoodString = True
    For I = 1 To Len(str)
    C = Mid(str, I, 1)
    If (InStr(strGoodChars, C) = 0) Then ' Not found
    IsGoodString = False
    Exit For
    End If
    Next
    End Function

    Here is a brief white paper on securing ASP pages that you might find
    interesting:

    http://www.ngssoftware.com/papers/asp.pdf

    One thing you will soon notice is that embedded quotes are only the
    beginning of the problem. A good general purpose solution is to use
    parameterized SQL. You will also find that white paper contains links to
    other white papers of interest. A lot has been written on the subject of SQL
    injection and how to prevent such attacks.

    If, after reading that white paper, you still do not want to use
    parameterized SQL you can "escape" delimiting characters (such as single
    quotes) by using the Replace function:

    strNewString = Replace(strOldString, "'", "''")
    MyndPhlyp, Nov 24, 2005
    #4
  5. M P

    Bob Lehmann Guest

    >> Walk the string, character by character,
    Yuk!

    Wouldn't regular expressions be a skosh more efficient?

    Bob Lehmann

    "MyndPhlyp" <> wrote in message
    news:...
    >
    > "M P" <> wrote in message
    > news:edXC$...
    > > Hi!
    > >
    > > I am looking for a way that I can trap the single quotation mark. If an
    > > encoder uses single quotation mark on a textbox field, it always give me

    > an
    > > error because I use single quotes on the SQL statement. Can you help

    trap
    > > this character not to produce error?

    >
    > Two general rules of thumb:
    >
    > * Test for what is allowed rather than what is not allowed.
    > * Use parameterized SQL.
    >
    > Walk the string, character by character, testing for allowed characters.

    For
    > example:
    >
    > Function IsGoodString(ByVal str)
    > Const strGoodChars = "abcdABCD0123" ' Allowed chars
    > Dim C
    > Dim I
    > IsGoodString = True
    > For I = 1 To Len(str)
    > C = Mid(str, I, 1)
    > If (InStr(strGoodChars, C) = 0) Then ' Not found
    > IsGoodString = False
    > Exit For
    > End If
    > Next
    > End Function
    >
    > Here is a brief white paper on securing ASP pages that you might find
    > interesting:
    >
    > http://www.ngssoftware.com/papers/asp.pdf
    >
    > One thing you will soon notice is that embedded quotes are only the
    > beginning of the problem. A good general purpose solution is to use
    > parameterized SQL. You will also find that white paper contains links to
    > other white papers of interest. A lot has been written on the subject of

    SQL
    > injection and how to prevent such attacks.
    >
    > If, after reading that white paper, you still do not want to use
    > parameterized SQL you can "escape" delimiting characters (such as single
    > quotes) by using the Replace function:
    >
    > strNewString = Replace(strOldString, "'", "''")
    >
    >
    >
    Bob Lehmann, Nov 24, 2005
    #5
  6. M P

    Evertjan. Guest

    MyndPhlyp wrote on 24 nov 2005 in microsoft.public.inetserver.asp.general:

    > Function IsGoodString(ByVal str)
    > Const strGoodChars = "abcdABCD0123" ' Allowed chars
    > Dim C
    > Dim I
    > IsGoodString = True
    > For I = 1 To Len(str)
    > C = Mid(str, I, 1)
    > If (InStr(strGoodChars, C) = 0) Then ' Not found
    > IsGoodString = False
    > Exit For
    > End If
    > Next
    > End Function
    >


    <script language=jscript runat=server>
    function IsGoodString(str){
    return !/[^abcd0123]/i.test(str)
    }
    </script>

    Testing:<br>

    <%
    response.write IsGoodString("Abba")
    response.write "<br>"
    response.write IsGoodString("Zoef")
    %>

    --
    Evertjan.
    The Netherlands.
    (Replace all crosses with dots in my emailaddress)
    Evertjan., Nov 24, 2005
    #6
  7. M P

    MyndPhlyp Guest

    "Bob Lehmann" <> wrote in message
    news:...
    > >> Walk the string, character by character,

    > Yuk!
    >
    > Wouldn't regular expressions be a skosh more efficient?


    Eh. It is all a matter of personal style. They both accomplish the same
    task. Depending on your myndset one method is more easily recognized than
    the other. The difference in overhead is going to be negligible. I tend to
    fall back to really old school methods since it can be recognized by
    virtually all levels of programming experience. Besides, it is just an
    example and I prefer to leave the art of computer programming and
    efficiencies/inefficiencies to Donald E. Knuth
    http://www-cs-faculty.stanford.edu/~knuth/.

    (Hey - he finally got Volume 4 published!)
    MyndPhlyp, Nov 24, 2005
    #7
  8. M P

    Bob Lehmann Guest

    >>They both accomplish the same task.
    >>Depending on your myndset one method
    >> is more easily recognized than the other.


    So, given the task of moving several tons of rocks, you would suggest using
    a wheelbarrow, since it is easier to understand, and use, than a front-end
    loader?

    VB(Script) is notorious for inefficient string handling. I expect that on a
    string of even 200+ bytes there would be a significant, noticable difference
    between your method and a regular expression.

    Bob Lehmann

    "MyndPhlyp" <> wrote in message
    news:...
    >
    > "Bob Lehmann" <> wrote in message
    > news:...
    > > >> Walk the string, character by character,

    > > Yuk!
    > >
    > > Wouldn't regular expressions be a skosh more efficient?

    >
    > Eh. It is all a matter of personal style. They both accomplish the same
    > task. Depending on your myndset one method is more easily recognized than
    > the other. The difference in overhead is going to be negligible. I tend to
    > fall back to really old school methods since it can be recognized by
    > virtually all levels of programming experience. Besides, it is just an
    > example and I prefer to leave the art of computer programming and
    > efficiencies/inefficiencies to Donald E. Knuth
    > http://www-cs-faculty.stanford.edu/~knuth/.
    >
    > (Hey - he finally got Volume 4 published!)
    >
    >
    Bob Lehmann, Nov 24, 2005
    #8
  9. bla blah blah


    "Bob Lehmann" <> wrote in message
    news:...
    >>>They both accomplish the same task.
    >>>Depending on your myndset one method
    >>> is more easily recognized than the other.

    >
    > So, given the task of moving several tons of rocks, you would suggest
    > using
    > a wheelbarrow, since it is easier to understand, and use, than a front-end
    > loader?
    >
    > VB(Script) is notorious for inefficient string handling. I expect that on
    > a
    > string of even 200+ bytes there would be a significant, noticable
    > difference
    > between your method and a regular expression.
    >
    > Bob Lehmann
    >
    > "MyndPhlyp" <> wrote in message
    > news:...
    >>
    >> "Bob Lehmann" <> wrote in message
    >> news:...
    >> > >> Walk the string, character by character,
    >> > Yuk!
    >> >
    >> > Wouldn't regular expressions be a skosh more efficient?

    >>
    >> Eh. It is all a matter of personal style. They both accomplish the same
    >> task. Depending on your myndset one method is more easily recognized than
    >> the other. The difference in overhead is going to be negligible. I tend
    >> to
    >> fall back to really old school methods since it can be recognized by
    >> virtually all levels of programming experience. Besides, it is just an
    >> example and I prefer to leave the art of computer programming and
    >> efficiencies/inefficiencies to Donald E. Knuth
    >> http://www-cs-faculty.stanford.edu/~knuth/.
    >>
    >> (Hey - he finally got Volume 4 published!)
    >>
    >>

    >
    >
    Larry Randolf, Dec 5, 2005
    #9
  10. M P

    Bob Lehmann Guest

    My, aren't you a clever one!

    It is also impressive how willing you are to put your ignorance on public
    display.

    Keep up the good work!

    Bob Lehmann

    "Larry Randolf" <> wrote in message
    news:uXE8Cic%...
    > bla blah blah
    >
    >
    > "Bob Lehmann" <> wrote in message
    > news:...
    > >>>They both accomplish the same task.
    > >>>Depending on your myndset one method
    > >>> is more easily recognized than the other.

    > >
    > > So, given the task of moving several tons of rocks, you would suggest
    > > using
    > > a wheelbarrow, since it is easier to understand, and use, than a

    front-end
    > > loader?
    > >
    > > VB(Script) is notorious for inefficient string handling. I expect that

    on
    > > a
    > > string of even 200+ bytes there would be a significant, noticable
    > > difference
    > > between your method and a regular expression.
    > >
    > > Bob Lehmann
    > >
    > > "MyndPhlyp" <> wrote in message
    > > news:...
    > >>
    > >> "Bob Lehmann" <> wrote in message
    > >> news:...
    > >> > >> Walk the string, character by character,
    > >> > Yuk!
    > >> >
    > >> > Wouldn't regular expressions be a skosh more efficient?
    > >>
    > >> Eh. It is all a matter of personal style. They both accomplish the same
    > >> task. Depending on your myndset one method is more easily recognized

    than
    > >> the other. The difference in overhead is going to be negligible. I tend
    > >> to
    > >> fall back to really old school methods since it can be recognized by
    > >> virtually all levels of programming experience. Besides, it is just an
    > >> example and I prefer to leave the art of computer programming and
    > >> efficiencies/inefficiencies to Donald E. Knuth
    > >> http://www-cs-faculty.stanford.edu/~knuth/.
    > >>
    > >> (Hey - he finally got Volume 4 published!)
    > >>
    > >>

    > >
    > >

    >
    >
    Bob Lehmann, Dec 6, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steffen Loringer

    Quotation mark in html

    Steffen Loringer, Jun 2, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    411
    Ashish M Bhonkiya
    Jun 2, 2004
  2. Iham Sheen
    Replies:
    0
    Views:
    427
    Iham Sheen
    Jul 1, 2004
  3. Bart Plessers \(artabel\)
    Replies:
    8
    Views:
    135
    Phillip Windell
    Oct 3, 2003
  4. Enjoy Life

    Replace function for double quotation mark.

    Enjoy Life, Apr 14, 2004, in forum: ASP General
    Replies:
    33
    Views:
    506
    Ray at
    Apr 15, 2004
  5. quotation mark or apostrophe

    , May 3, 2006, in forum: Javascript
    Replies:
    4
    Views:
    114
    Capricorn
    May 4, 2006
Loading...

Share This Page