PDA

Click to See Complete Forum and Search --> : Sending Text Data in Forms

gowans007
06-03-2004, 06:57 AM
Guys,

I have a simple ASP feedback form on my website going to a sql database however when anyone enters any special characters (i.e. ' ?) they receive an error message.

How can I stop this from happening,

I am a bit of a noob with ASP and any simple advise or example coding would be helpful.

Thankyou!
Bhanu
06-03-2004, 10:06 AM
hi,
replace single quot with two singelquots before you write to database
example enterd Scott's . make this as Scott''s.
then you will not get database error

Bhanu
gowans007
06-03-2004, 11:00 AM
Doe's this also fix the ? problem ?
Bhanu
06-03-2004, 11:28 AM
sure
Bhanu
gowans007
06-03-2004, 12:21 PM
I am using " in the script that saves the info.

i.e. the text is typed in by a random person,

this is then passed in a form to a asp page which picks up the data entered.

However if they enter ' or ? in the text they get ERORR!!!!

What do I need to change in my asp code so I can wave goodbye to these errors?

Greatfull for any help,
Thankyou
Bhanu
06-03-2004, 12:29 PM
take all in hidden variables
and submit the form
do not pass variables with url link.
good luck
Bhanu
NCit
06-03-2004, 03:00 PM
I have written a very little example for you. Just check it;


<%
'first we get the form fields
strFirstName = Request.Form("frmFirstName")
strLastName = Request.Form("frmLastName")

'then it's time to do a check
strFirstName = FormatSQLInput(strFirstName)
strLastName = FormatSQLInput(strLastName)

'and now recording into db
SQL = "INSERT INTO [TABLE_NAME] " &_
"(FIRSTNAME, LASTNAME) " &_
"VALUES (" &_
"'" & strFirstName & "', " &_
"'" & strLastName & "')"
objConn.Execute(SQL)

'and this function does all the checking trick
'this function also replaces the forbidden words like SELECT, ALTER etc.
'you may add more 'replaces' in this function to replace other special characters
Private Function FormatSQLInput(ByVal strInputEntry)
strInputEntry = Replace(strInputEntry, "'", "''", 1, -1, 1)
strInputEntry = Replace(strInputEntry, """", Chr(34), 1, -1, 1)
strInputEntry = Replace(strInputEntry, "select", "select", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "join", "join", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "union", "union", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "where", "where", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "insert", "insert", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "delete", "delete", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "update", "update", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "like", "like", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "drop", "drop", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "create", "create", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "modify", "modify", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "rename", "rename", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "alter", "alter", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "cast", "cast", 1, -1, 1)
FormatSQLInput = strInputEntry
End Function
%>