Error when characters like ' / @ = are entered by user

You need to allow for things like this by "trying to break it"... which you have, and that's a good thing.

How to fix it? Well you could replace the @ and other such symbols with their HTML code equivalent... are you using PHP? There's a function called "html_entities_encode" ... check that out.

As for the SQL... that's actually a good question, and I'm not sure. I think it probably has to do with how your database queries are structured. If you are filtering them, then probably not. Otherwise... maybe?

Let me know if you're using PHP, because then I can give you some more specific help.

(p.s. that last post was # 1337 ... hahahah)

Nrrrgh, can't remember back far enough....

My knowledge of ASP is getting dimmer and dimmer (it's a good thing Drew posts all these ASP questions). It's something like HtmlEncode, have you got an ASP reference where you can do a search for that? Also when I did ASP it was heavily tied into VB, so that might be a VB method!

There's got to be something like that though.

Drew wrote: How can I allow users to enter these and other symbols into a form which gets stored in the database without getting errors?

Moreover, how do you stop some sneaky 1337 H4xX0r script kiddie using those symbols to inject queries into your database! Is ASP strongly typed (I've forgotten)? If not you'd better make sure that when inserting a number into the database that it actually is a number, if ASP uses variable declarations like: [incode]Dim MyVar As Int[/incode] then you should be ok, but if it's throwing variants around (ala [incode]Dim MyVar[/incode] or [incode]Dim MyVar As Variant[/incode]) then you'd better start using the type checking functions ([incode]is_num[/incode] for instance).

Breaking stuff is good, if you break it now it means someone else doesn't break it in future.