April 29, 2003 at 6:52 am
Hi
I creating select statements dynamicly, but want to want to protect against sql-injection, and still be able to search for special characters, so i do the following replacement:
' -> ''
[ -> [[]
But when i use ] -> []] it does not find any (not even records with field=']')
what do i do ??
Regards
Benny Bech
April 29, 2003 at 7:16 am
One way would be to search for char(93) which is the ascii code for ].
You can use select ascii(']') to get the ascii value.
Jeremy
April 29, 2003 at 7:26 am
Transact Sql help says that
LIKE ']' to be used for searching for ] character and not '[]]'.
Hope this helps
April 29, 2003 at 7:29 am
quote:
...protect against sql-injection...
Look into the proper use of QUOTENAME function to protect your scripts. Here's a quick link:
http://doc.ddart.net/mssql/sql70/qua-quz.htm
April 29, 2003 at 8:00 am
Hi
I may not hav made the problem clear enough.
I want a general soulution to change what the user entered, so it is useable for everything the users enters.
IF the users in the input box enters a[k']p
if want if to finds record with exactly "a[k']p" in the fields, NOT "akp" and NOT "qa[k']p".
and if the user clicks in the "anywhere" checkmark I preceed and succed the searchstring with %, record also record with field "qa[k']p" and "a[k']pq"
I am using ADO objects commandtext (from Delphi) so I can't use the suggested QUOTENAME (unless i call en procedure for each field.
Regards
Benny Bech
April 29, 2003 at 8:32 am
As I said earlier, before executing the query
replace all [ with [[]
Do not replace ] with []]. Keep them as it is.
For your example
"a[k']p" becomes "a[[]k']p"
So searching in database for "a[[]k']p"
retrieves the records with "a[k']p"
April 30, 2003 at 1:12 am
Hi
I have solved it, problem was that I was also doing:
] -> []]
but i shouldn't.
btw. % -> [%] and _ -> [_] was needed to make it complete.
Thank you for participating.
Regards
Benny Bech
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply