p2p.wrox.com: Archives - asp

asp_databases thread: Looking for a more efficient approach

Message #1 by "Chirag Shah" <chiragiit@y...> on Sun, 27 Oct 2002 17:40:21

Inorder to resolve apostrophe(') problem in SQL query I am using this 
funciton but the for each Request.Form( ) i have to call this function 
(SafeSQL ) or the another approach is to use Replace() function with each 
Request.Form ().....

Is there a more efficient approach to do this so you do not  have to call 
either VBScript Replace()  function or a custom SafeSQL() function for 
each Reequest.Form("textfieldname")?

-------------------------------------------------------------
<%

Function SafeSQL( _
   ByVal strToRenderSafe _
   )

   SafeSQL = Replace(strToRenderSafe, "'", "''")

End Function


Dim Objconn,rs
Set ObjConn = Server.CreateObject("ADODB.Connection")
Objconn.open("DSN=bdntte.networkinfo;UID= PWD=")

TempAccess = "UPDATE networkinfo SET CustomerName= '" & safeSQL
(Request.form("CustName")) & "', Networksoftware = '" & safeSQL
(Request.form("NetworkSoftware")) & "',ServerI = '" & safeSQL(Request.form
("ServerI")) & "',ServerII = '" & safeSQL(Request.form("ServerII")) 
& "',ServerIII = '" & safeSQL(Request.form("ServerIII")) & "',MailServer 
= '" & safeSQL(Request.form("MailServer")) & "',ISP = '" & safeSQL
(Request.form("ISP")) & "',ISPPhone = '" & safeSQL(Request.form
("ISPPhone")) & "',Virussoftware = '" & safesSQL(Request.form
("VirusSoftware")) & "',Firewall= '" & safeSQL(Request.form("Firewall")) 
& "',Router = '" & safeSQL(Request.form("Router")) & "',RemoteAccess = '" 
& safeSQL(Request.form("RemoteAccess")) & "' Where ID = " & Request.form
("ID") & ""

'Response.Write(TempAccess)
ObjConn.Execute(TempAccess)
Objconn.Close
Set objConn = Nothing
%>
-----------------------------------------------------------------------

Message #2 by "Chirag Shah" <chiragiit@y...> on Sun, 27 Oct 2002 21:51:17

After few hours of research, I think I have to do something like this.
Agree...??
---------------------------------------------------------------
Function RemoveCharacters() 
  dim frm,item 
  Set frm = Server.CreateObject("Scripting.Dictionary") 
  frm.CompareMode=1 
  For each Item in Request.Form 
    frm.Add Cstr(Item), Replace(Request.Form(Item),"'","''") 
  Next 
  Set RemoveCharacters = frm 
End Function 

dim myform
Set myform = RemoveCharacters()

myform("formfieldname") ' refer to a specific form field

------------------------------------------------------------------

Message #3 by "Ken Schaefer" <ken@a...> on Mon, 28 Oct 2002 11:58:56 +1100

Please define "efficient".

At the moment I think you mean "I want something that is less effort on my
part as a programmer".

On the other hand, if you want a more "robust" solution, I would use stored
procedures, and use a Command object and Parameters. You don't need to
escape anything then.

Cheers
Ken

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Chirag Shah" <chiragiit@y...>
Subject: [asp_databases] Looking for a more efficient approach


: Inorder to resolve apostrophe(') problem in SQL query I am using this
: funciton but the for each Request.Form( ) i have to call this function
: (SafeSQL ) or the another approach is to use Replace() function with each
: Request.Form ().....
:
: Is there a more efficient approach to do this so you do not  have to call
: either VBScript Replace()  function or a custom SafeSQL() function for
: each Reequest.Form("textfieldname")?
:
: -------------------------------------------------------------
: <%
:
: Function SafeSQL( _
:    ByVal strToRenderSafe _
:    )
:
:    SafeSQL = Replace(strToRenderSafe, "'", "''")
:
: End Function
:
:
: Dim Objconn,rs
: Set ObjConn = Server.CreateObject("ADODB.Connection")
: Objconn.open("DSN=bdntte.networkinfo;UID= PWD=")
:
: TempAccess = "UPDATE networkinfo SET CustomerName= '" & safeSQL
: (Request.form("CustName")) & "', Networksoftware = '" & safeSQL
: (Request.form("NetworkSoftware")) & "',ServerI = '" & safeSQL(Request.form
: ("ServerI")) & "',ServerII = '" & safeSQL(Request.form("ServerII"))
: & "',ServerIII = '" & safeSQL(Request.form("ServerIII")) & "',MailServer
: = '" & safeSQL(Request.form("MailServer")) & "',ISP = '" & safeSQL
: (Request.form("ISP")) & "',ISPPhone = '" & safeSQL(Request.form
: ("ISPPhone")) & "',Virussoftware = '" & safesSQL(Request.form
: ("VirusSoftware")) & "',Firewall= '" & safeSQL(Request.form("Firewall"))
: & "',Router = '" & safeSQL(Request.form("Router")) & "',RemoteAccess = '"
: & safeSQL(Request.form("RemoteAccess")) & "' Where ID = " & Request.form
: ("ID") & ""
:
: 'Response.Write(TempAccess)
: ObjConn.Execute(TempAccess)
: Objconn.Close
: Set objConn = Nothing
: %>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Return to Index

P2P Archives