M P said:
Hi!
I am looking for a way that I can trap the single quotation mark. If an
encoder uses single quotation mark on a textbox field, it always give me an
error because I use single quotes on the SQL statement. Can you help trap
this character not to produce error?
Two general rules of thumb:
* Test for what is allowed rather than what is not allowed.
* Use parameterized SQL.
Walk the string, character by character, testing for allowed characters. For
example:
Function IsGoodString(ByVal str)
Const strGoodChars = "abcdABCD0123" ' Allowed chars
Dim C
Dim I
IsGoodString = True
For I = 1 To Len(str)
C = Mid(str, I, 1)
If (InStr(strGoodChars, C) = 0) Then ' Not found
IsGoodString = False
Exit For
End If
Next
End Function
Here is a brief white paper on securing ASP pages that you might find
interesting:
http://www.ngssoftware.com/papers/asp.pdf
One thing you will soon notice is that embedded quotes are only the
beginning of the problem. A good general purpose solution is to use
parameterized SQL. You will also find that white paper contains links to
other white papers of interest. A lot has been written on the subject of SQL
injection and how to prevent such attacks.
If, after reading that white paper, you still do not want to use
parameterized SQL you can "escape" delimiting characters (such as single
quotes) by using the Replace function:
strNewString = Replace(strOldString, "'", "''")