SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict darkwater23's Avatar
    Join Date
    Nov 2005
    Location
    Omaha, NE
    Posts
    335
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Escape SQL before insert?

    I working on a ASP project (usually I'm a PHP guy) and I wanted to encode a string to make it safe for a SQL insert. Is there a function built into ASP for that or do I just need to replace single quotes?

  2. #2
    SitePoint Wizard bbolte's Avatar
    Join Date
    Nov 2001
    Location
    The Central Plains
    Posts
    3,301
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    there many things you can do - it depends on how secure you want it. escaping single quotes is probably the minimum depending on the data. i've used regular expressions to clean stuff up if it was something like user names and passwords. i've also built functions to make sure some SQL phrases (like "drop table") and html/javascript weren't used.

  3. #3
    SitePoint Addict darkwater23's Avatar
    Join Date
    Nov 2005
    Location
    Omaha, NE
    Posts
    335
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been looking at using parameters to build the SQL commands. In ASP, there's a command object that you have to append parameters to and then execute.

    I've found many different examples, but I haven't been able to get one to work. Does anyone have a solid, well-explained parameterized query example for ASP?

    Thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •