SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Zealot
    Join Date
    May 2008
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to properly escape quotes being written to db

    I have a form that is writing user info to a database.

    My save function has this:

    Code:
    User.SetValue("FirstName", txtFirstName.Text)
    User.SetValue("LastName", txtLastName.Text)
    User.SetValue("Email", txtEmail.Text)
    User.SetValue("City", txtCity.Text)
    User.SetValue("Password", txtPassword.Text)
    Some users are getting errors, and my testing indicates it has to do with unescaped quotes... Is there some function I can use to filter these text fields prior to running the save function here?

    Should I use server.htmlencode, or is there a better recommendation? Thanks
    renkai.com

  2. #2
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No NO NO! This is not php. Your save function sohuld use parameterized queries and NOT concat values. This is basic Ado.Net usage.
    If you want something to use faster, try PetaPoco.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •