Wrox Programmer Forums
|
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old July 22nd, 2006, 02:02 PM
Registered User
  
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Help submitting a field into a database
at the moment I have the following code, for a local email system on my Intranet:
Code:
Set objComm = Server.CreateObject("ADODB.Command")

  objComm.ActiveConnection = strConnect
  objComm.CommandText="INSERT INTO mail ([sender], [recipient], [subject], [message], [locked]) VALUES ('" & user & "', '" & recipient & "', '" & subject & "', '" & message & "', '1')"

  objComm.Execute intNoOfRecords
  Set objComm = Nothing


However if a user includes a ' into their message they get an error message as the sql statement thinks it is moving on to fill the next feild.

How can I make the message variable submit regardless of any character that I put in to it (including ' )

Thankyou
 
Old July 26th, 2006, 09:32 PM
Wrox Author
  
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default
I would do something like this:
Sub Whatever()
   user = StringCleaner([string to check])
   recipient = StringCleaner([string to check])
   ...etc
End Sub

Function StringCleaner(dirtyString)
  dirtyString = Replace(dirtyString, "'", "#39")
  dirtyString = Replace(dirtyString, ",", "#44")
  stringCleaner = dirtyString
End Function

What this does is replace ' and , with their ACSII value which, when displayed on an HTML page or in an HTML email, will produce the appropriate characters. This is also a good practice even if you weren't faced with this problem because it helps prevent SQL injection.

HTH

"The one language all programmers understand is profanity."





Similar Threads
Thread Thread Starter Forum Replies Last Post
Field from a database SKhna ASP.NET 2.0 Basics 6 March 20th, 2008 06:17 AM
Submitting a form to a database nvillare Classic ASP Basics 2 January 27th, 2005 06:38 PM
ASP code to update database on submitting form? kkbigal Classic ASP Databases 3 July 14th, 2003 05:55 AM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.