[thelist] What can break a form? (ASP)
thelist at cjmarsh.com
thelist at cjmarsh.com
Sat Apr 9 04:02:16 CDT 2005
> : I thought I had caught all the apostrophes in my
> : form processing, and even when I did catch them all,
> : the form still went through.
> :
> : My Canadian colleague loves to use special characters
> : in forms; my new best friend. Aside from the apostrophe,
> : what other special characters can break
> : a form in ASP.
> :
> : When replace(request.form("field"),"'","''") stops working,
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Single quotes (') do not "break" forms. The only thing that
> they "break" is SQL statements that you're building
> on-the-fly. Why? Because ' are used as data delimiters in SQL
> statements. Nothing to do with HTTP/posted data, nothing to
> do with ASP. Only has relevance in your database.
The only way that I could think of that single quotes could "break" a
form is if the data that has been submitted will be displayed in that
form again. If one uses single quotes in the HTML and submits a surname
O'Grady in a form with other required fields not completed, then the
surname will probably display as "O" after theform has been initially
submitted; thus breaking the form. It's important to note though, that
there is no single operation solution to this issue, as one would
possibly encode the "'" to ' to display in the form, but this needs
to be converted to "''" before including in any inline SQL. This HTML
issue is also apparent with alt values and javascript. A javascript
alert "Don't include apostrophes" will cause an error if single quotes
are used in Javascript. I have found that using a consistant methodology
in receiving, displaying and procesing data in dynamic pages has
resulted in as secure and reliable pages as possible.
HTH
Regards
Chris Marsh
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.9.5 - Release Date: 07/04/2005
More information about the thelist
mailing list