[thelist] ASP - & Encoding
Anthony Baratta
Anthony at Baratta.com
Fri Mar 22 16:40:01 CST 2002
At 11:21 AM 3/22/2002, Howard Cheng wrote:
>>rs.Open "SELECT * FROM table WHERE phone ='" & request.form("phone") & "'"
Whether you want to use Request.Form or Request.QueryString, you should be
escaping the User/Form supplied data.
You never know what can get embedded into your SQL and by "sanitizing" the
input you reduce the amount of problems it can cause.
I have an ASP function I always use to escape User/Form Data, here is a
*full* example:
Set objDBConn = NewDBConn()
strQuery = "SELECT * FROM table WHERE " & _
"phone ='" & EscapeDBData(request.form("phone")) & "'"
Set objRS = objDBConn.Execute(strQuery)
if not (obj.BOF AND obj.EOF) then
''Found data
else
'' No data
end if
objRS.Close
''''''''''''''''''''''''''''''''''''''''''''''''''
'' EscapeDBData Function
'' Required Info Passed to Function:
'' varDataLine
''''''''''''''''''''''''''''''''''''''''''''''''''
Function EscapeDBData(varDataLine)
if not(varDataLine = "") then
varDataLine = Replace(varDataLine,"'","''",1,-1,1)
end if
EscapeDBData = Trim(varDataLine)
End Function
''''''''''''''''''''''''''''''''''''''''''''''''''
'' NewDBConn Function
'' Required Info Passed to Function:
'' None
''''''''''''''''''''''''''''''''''''''''''''''''''
Function NewDBConn()
Set objNewDBConn = Server.CreateObject("ADODB.Connection")
objNewDBConn.Open(DB_Connect_String)
Set NewDBConn = objNewDBConn
Set objNewDBConn = Nothing
End Function
---
Anthony Baratta
President
Keyboard Jockeys
"Conformity is the refuge of the unimaginative."
More information about the thelist
mailing list