 |
|
|
| View previous topic :: View next topic |
| Author |
Message |
jim b
Joined: 12 May 2006
Posts: 14
|
 Posted: Sat Jul 22, 2006 10:47 am Submitting a text to the database |
 |
|
|
at the moment I have the following code, for a local email system on my Intranet:
| Code: |
Set objComm = Server.CreateObject("ADODB.Command")
objComm.ActiveConnection = strConnect
objComm.CommandText="INSERT INTO mail ([sender], [recipient], [subject], [message], [locked]) VALUES ('" & user & "', '" & recipient & "', '" & subject & "', '" & message & "', '1')"
objComm.Execute intNoOfRecords
Set objComm = Nothing |
However if a user includes a ' into their message they get an error message as the sql statement thinks it is moving on to fill the next feild.
How can I make the message variable submit regardless of any character that I put in to it (including ' )
Thankyou |
|
degsy
Joined: 23 Feb 2005
Posts: 2440
Location: North East, UK
|
| Posted: Mon Jul 24, 2006 10:30 am |
|
|
|
You need to use validation to prevent SQL injections.
A simple validation is to use Replace
| Code: |
str = "str with a ' quote"
newStr = Replace(str,"'","''")
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
 |
|
|
|
|
|
|
Forum Home
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
