HomeBuilding Your WebsiteWeb Database Development

" ' " form handeling error

MerchAffil posted this at 10:42 — 3rd December 2005.

They have: 17 posts

Joined: Oct 2005

Hi

I am using asp to process data from a form into my database. I have set it up and it worked fine but when someone types "ye's" or anything with a " ' " in the value it breaks the asp. Any solutions please help? Murray

murraynewlands.com

Greg K posted this at 18:58 — 3rd December 2005.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

I know for PHP there are functions to process strings to escape out characters like quotes (ie. How'd they do that would be How\'d they do that )

I can't remember if ASP does escaping or doubling of the quotes. BJA knows ASP, so perhaps he will be able to post an answer for you. Until then try searching in ASP help for the term "escaping quotes".

-Greg

chrishirst posted this at 08:47 — 4th December 2005.

chrishirst's picture

He has: 379 posts

Joined: Apr 2005

Use another apostrophe

stringOut = replace(stringIn,"'","''")'

or as a function

function stripQuotes(strWords)
'strip out single quotes for SQL injection attempts
stripQuotes = replace(strWords, "'", "''")
stripQuotes =  StripChars(stripQuotes)
end function
'***********************************
function StripChars(strIn)
dim Disallowed
dim strOut
dim i
Disallowed = array("select", "drop", ";", "--", "insert","delete", "xp_")
strOut = strIn
for i = 0 to uBound(Disallowed)
strOut = replace(strOut, Disallowed(i), "")
next
StripChars = strOut
end function
'

I've include a function for helping prevent SQL injection as well.

Chris

Indifference will be the downfall of mankind, but who cares?
Venue Capacity Monitoring
Code Samples

MerchAffil posted this at 14:59 — 5th December 2005.

They have: 17 posts

Joined: Oct 2005

Hi

Thannks so much for your help!!

Sorry - beginner.

Where does the above go?

Murray

<?php
Set Upload = Server.CreateObject("Persits.Upload.1")

    dim Upload, File, Item
  

    Upload.Save "......."
   
   

dim WP, references, title, name1, name2, name3, pob, nat, noc, mmn, sex, email, marital, passport, passportissue, driving, drivingissue, mobile, home, add1, add2, town, post, dob, ni, sales, airport, full_part, pth, GCSE, nameofemployer1, jobtitle1, jobdes1, leaving1, start1, leavingdate1, nameofemployer2, jobtitle2, jobdes2, leaving2, start2, leavingdate2, nameofemployer3, jobtitle3, jobdes3, leaving3, start3, leavingdate3, whichairport, airportbefore, location, company, start4, leavingdate4, cdescription, miles, Jtime, home2, car, criminal, shifts, student, studenthours, appropriate, where1, comments
Dim objConn, strQ, objRS


WP = Upload.form("WP")
references = Upload.form("references")
title = Upload.form("title")
name1 = Upload.form("name1")
name2 = Upload.form("name2")
name3 = Upload.form("name3")
pob = Upload.form("pob")
nat = Upload.form("nat")
noc = Upload.form("noc")
mmn = Upload.form("mmn")
sex = Upload.form("sex")
marital = Upload.form("marital")
email = Upload.form("email")
passport = Upload.form("passport")
passportissue= Upload.form("passportissue")
driving = Upload.form("driving")
drivingissue= Upload.form("drivingissue")
mobile = Upload.form("mobile")
home = Upload.form("home")
add1 = Upload.form("add1")
add2 = Upload.form("add2")
town = Upload.form("town")
post = Upload.form("post")
dob = Upload.form("dob")
ni = Upload.form("ni")
sales = Upload.form("sales")
airport = Upload.form("airport")
full_part = Upload.form("full_part")
pth = Upload.form("pth")
GCSE = Upload.form("GCSE")
nameofemployer1 = Upload.form("nameofemployer1")
jobtitle1 = Upload.form("jobtitle1")
jobdes1 = Upload.form("jobdes1")
leaving1 = Upload.form("leaving1")
start1 = Upload.form("start1")
leavingdate1 = Upload.form("leavingdate1")
nameofemployer2 = Upload.form("nameofemployer2")
jobtitle2 = Upload.form("jobtitle2")
jobdes2 = Upload.form("jobdes2")
leaving2 = Upload.form("leaving2")
start2 = Upload.form("start2")
leavingdate2 = Upload.form("leavingdate2")
nameofemployer3 = Upload.form("nameofemployer3")
jobtitle3 = Upload.form("jobtitle3")
jobdes3 = Upload.form("jobdes3")
leaving3 = Upload.form("leaving3")
start3 = Upload.form("start3")
leavingdate3 = Upload.form("leavingdate3")
whichairport = Upload.form("whichairport")
airportbefore = Upload.form("airportbefore")
location = Upload.form("location")
company = Upload.form("company")
start4 = Upload.form("start4")
leavingdate4 = Upload.form("leavingdate4")
cdescription = Upload.form("cdescription")
miles = Upload.form("miles")
Jtime = Upload.form("Jtime")
home2 = Upload.form("home2")
car = Upload.form("car")
criminal = Upload.form("criminal")
shifts= Upload.form("shifts")
student= Upload.form("student")
studenthours = Upload.form("studenthours")
appropriate = Upload.form("appropriate")
where1 = Upload.form("where1")

For Each File in Upload.Files

    
      File.Copy "........ & File.ExtractFileName
      comments = File.ExtractFileName
      File.Delete
    Next

    ' Display description field
    'Response.Write Upload.Form("Description") & "<BR>"

    ' Display all selected categories
    For Each Item in Upload.Form
      If Item.Name = "Category" Then
        Response.Write Item.Value & "<BR>"
      End If
    Next


    Dim insertSql
                Set objConn = Server.CreateObject("ADODB.Connection")
                objConn.Open = strConnection
                'insertSql = "INSERT INTO forward (u_id, f_email, f_name) VALUES (" & intUid & " , " & strToemail & " , " & strFname & " )"
   
                'insertsql = "insert into forward (u_id, f_email, f_name)"
                'insertsql = insertsql & " values( " & intUid & " , '" & strToemail & "' , '" & strFname & "' )"
               
'insertsql = "insert into preference (Title, Firstname) values( '" & Title & "' , '" & Firstname & "' )"
insertSql = ""

insertSql = insertSql & "INSERT INTO users_tbl"

insertSql = insertSql & "(WP, references, title, name1, name2, name3, pob, nat, noc, mmn, sex, marital, email, passport, passportissue, driving, drivingissue, mobile, home, add1, add2, town, post, dob, ni, sales, airport, full_part, pth, GCSE, nameofemployer1, jobtitle1, jobdes1, leaving1, start1, leavingdate1, nameofemployer2, jobtitle2, jobdes2, leaving2, start2, leavingdate2, nameofemployer3, jobtitle3, jobdes3, leaving3, start3, leavingdate3, whichairport, airportbefore, location, company, start4, leavingdate4, cdescription, miles, Jtime, home2, car, criminal, shifts, student, studenthours, appropriate, where1, FILE1  ) " & vbCrLf






insertSql = insertSql & "VALUES ("

insertSql = insertSql & "'" & WP & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & references & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & title & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & name1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & name2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & name3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & pob & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & nat & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & noc & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & mmn & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & sex & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & marital & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & email & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & passport & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & passportissue & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & driving & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & drivingissue & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & mobile & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & home & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & add1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" &  add2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & town & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & post & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & dob & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & ni & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & sales & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & airport & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & full_part & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & pth & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & GCSE & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & nameofemployer1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobtitle1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobdes1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leaving1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & start1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leavingdate1 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & nameofemployer2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobtitle2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobdes2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leaving2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & start2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leavingdate2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & nameofemployer3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobtitle3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & jobdes3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leaving3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & start3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leavingdate3 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & whichairport & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & airportbefore & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & location & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & company & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & start4 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & leavingdate4 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & cdescription & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & miles & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & Jtime & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & home2 & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & car & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & criminal & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & shifts & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & student & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & studenthours & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & appropriate & "'"
insertSql = insertSql & ", "
insertSql = insertSql & "'" & where1 & "'"

insertSql = insertSql & ", "
insertSql = insertSql & "'" & comments & "'"





insertSql = insertSql &  ");"
'response.write insertSql

                objConn.Execute(insertSql)
                objConn.close
                Set objConn = Nothing
               
Response.write "Data added"
?>

murraynewlands.com

chrishirst posted this at 23:59 — 6th December 2005.

chrishirst's picture

He has: 379 posts

Joined: Apr 2005

It depends which field may have "'" in it

It's simply a function and you would pass your string variable through it

strVar = stripQuotes(strVar)

MerchAffil posted this at 10:07 — 8th December 2005.

They have: 17 posts

Joined: Oct 2005

Hey

All fixed now

I would like to thank you very much for your help

Murray

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.