HTML Help Forum HTML Help
Please Search for the answer to your question before asking it! Thanks.
 

Submitting a text to the database
Post a Reply to this Topic Ask a New Question
Click here to go to the original topic
       HTML Help Forum -> ASP
View previous topic :: View next topic  
Author Message
jim b



Joined: 12 May 2006
Posts: 14
Posted: Sat Jul 22, 2006 10:47 am     Submitting a text to the database  
at the moment I have the following code, for a local email system on my Intranet:
Code: Set objComm = Server.CreateObject("ADODB.Command")

  objComm.ActiveConnection = strConnect
  objComm.CommandText="INSERT INTO mail ([sender], [recipient], [subject], [message], [locked]) VALUES ('" & user & "', '" & recipient & "', '" & subject & "', '" & message & "', '1')"
                     
  objComm.Execute intNoOfRecords
  Set objComm = Nothing

However if a user includes a ' into their message they get an error message as the sql statement thinks it is moving on to fill the next feild.

How can I make the message variable submit regardless of any character that I put in to it (including ' )

Thankyou
degsy



Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
Posted: Mon Jul 24, 2006 10:30 am      
You need to use validation to prevent SQL injections.

A simple validation is to use Replace

Code:

str = "str with a ' quote"

newStr = Replace(str,"'","''")
 
 
DARFUR
Get a Stop the Genocide poster at SaveDarfur.org.
Also see Eyes on Darfur.
HOSTING / DESIGN
$1.99 Domain Registration
Cheap Web Hosting
Website Templates
MAKE MONEY
Sell Domain Names
Sell Website Templates

       HTML Help Forum -> ASP
Page 1 of 1


Powered by phpBB Search Engine Indexer
Powered by phpBB 2.0.19 © 2001, 2002 phpBB Group