Re: Making user input safe

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: CHRISM (chris_at_sorry.no.spam.com)
Date: 11/04/04

• Next message: Ken Dopierala Jr.: "Re: Making user input safe"
• Previous message: rroman_at_800mcmahan.com: "Re: changing the value of a textBox with selection from a dropDown"
• In reply to: Stephen Adam: "Making user input safe"
• Next in thread: Ken Dopierala Jr.: "Re: Making user input safe"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 04 Nov 2004 13:34:27 -0500

On Thu, 04 Nov 2004 17:31:51 GMT, "Stephen Adam"
<stephen.adam@ntlworld.com> wrote:

>Hi there,
>
>I am working on a project were a user can update a SQL Server DB via a web
>form. I've included a number of text boxes for a user to enter in strings.
>The text from these boxes is then used in an update command. My problem is
>if the user enters any speech marks then it will break the code as they are
>interpretted as the end of the SQL statement. I'm sure there are other
>characters which will also cause problems.
>
>Here is a code snippet.
>sSQL = "INSERT INTO t_links VALUES (" & "'" & tbLinkName.Text() & "'" & ","
>& "'" & tbLinkAddress.Text() & "'" & "," & "'" & tbLinkDescription.Text() &
>"'" & ")"
>
>Is there any automated way of turning the contents of these text boxes into
>their literal form so the contents can be safely used in this way?
>
>In PHP you've got HTMLSpecialChars function which will turn script/html into
>the actual text we want. Is there anything like this I can use for VB.net?
>
>Thanks
>
>Steve

You want to change single quotes into two single quotes..

Instead of using:

        tbLinkName.Text()

Try using:

        tbLinkName.Text().Replace("'","''")

Same for any other text data that may contain single quotes..

// CHRIS

---

• Next message: Ken Dopierala Jr.: "Re: Making user input safe"
• Previous message: rroman_at_800mcmahan.com: "Re: changing the value of a textBox with selection from a dropDown"
• In reply to: Stephen Adam: "Making user input safe"
• Next in thread: Ken Dopierala Jr.: "Re: Making user input safe"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Making user input safe ... I am working on a project were a user can update a SQL Server DB via a web ... I've included a number of text boxes for a user to enter in strings. ... characters which will also cause problems. ... Here is a code snippet. ... (microsoft.public.dotnet.languages.vb) RE: SQL Server 2005 64 bit on Window Server 2003 R2 64bit slow per ... "Jason Wilson" wrote: ... If the box itself checked out fine, then move on to runnign SQL Server on ... Perfmon, Disk I/O, Pages, Profiler traces, checked locks/blocks, long running ... slow on these boxes to me. ... (microsoft.public.sqlserver.setup) Re: Jet >SQL conversion ... I wonder if populating the rowsource OnEnter into the combobox control and ... consider getting Mary Chipman's book on SQL Server and Access. ... > forms are unbound with only combo boxes which prompt the user for the ... > would speed things up for those that don't use dataless keys? ... (microsoft.public.access.modulesdaovba) Re: Trim Email Address down to domain only ... SQL Server uses single quotes, ... "Steve Roberts" wrote in message ... >> Doug Steele, Microsoft Access MVP ... (microsoft.public.access.queries) Re: MemoryStream Memory Intensive? newbie ... > Users fill in a couple of text boxes and I use that for to create ... Danger! ... SQL Server Magazine for complete details. ... string objects cause extra load on the GC which may slow down ASP.NET. ... (microsoft.public.dotnet.general)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.languages.vb  > 2004-11