[thelist] ASP - & Encoding

Anthony Baratta Anthony at Baratta.com
Fri Mar 22 16:40:01 CST 2002


At 11:21 AM 3/22/2002, Howard Cheng wrote:
>>rs.Open "SELECT * FROM table WHERE phone ='" & request.form("phone") & "'"

Whether you want to use Request.Form or Request.QueryString, you should be
escaping the User/Form supplied data.

You never know what can get embedded into your SQL and by "sanitizing" the
input you reduce the amount of problems it can cause.

I have an ASP function I always use to escape User/Form Data, here is a
*full* example:

    Set objDBConn = NewDBConn()
    strQuery = "SELECT * FROM table WHERE " & _
       "phone ='" & EscapeDBData(request.form("phone")) & "'"
    Set objRS = objDBConn.Execute(strQuery)
    if not (obj.BOF AND obj.EOF) then
       ''Found data
    else
       '' No data
    end if
    objRS.Close

''''''''''''''''''''''''''''''''''''''''''''''''''
'' EscapeDBData Function
'' Required Info Passed to Function:
''      varDataLine
''''''''''''''''''''''''''''''''''''''''''''''''''
Function EscapeDBData(varDataLine)
     if not(varDataLine = "") then
        varDataLine = Replace(varDataLine,"'","''",1,-1,1)
     end if
     EscapeDBData = Trim(varDataLine)
End Function

''''''''''''''''''''''''''''''''''''''''''''''''''
'' NewDBConn Function
'' Required Info Passed to Function:
''      None
''''''''''''''''''''''''''''''''''''''''''''''''''
Function NewDBConn()
     Set objNewDBConn = Server.CreateObject("ADODB.Connection")
     objNewDBConn.Open(DB_Connect_String)
     Set NewDBConn = objNewDBConn
     Set objNewDBConn = Nothing
End Function
---
Anthony Baratta
President
Keyboard Jockeys

"Conformity is the refuge of the unimaginative."




More information about the thelist mailing list