Special characters
-
Hi all,
I am used to removing single quotes from my command strings or escaping them by inserting another single quote before. Now however I am trying to insert general text into a table that may include many of the 'special' characters like () ? / ' ". Is there a way to encapsulate an entire string so that SQL ignores any special characters within that encapsulation and just inserts it as text..?
Thanks for any advice.
-
Hi Rolf,
quote:
I am used to removing single quotes from my command strings or escaping them by inserting another single quote before. Now however I am trying to insert general text into a table that may include many of the 'special' characters like () ? / ' ". Is there a way to encapsulate an entire string so that SQL ignores any special characters within that encapsulation and just inserts it as text..?
maybe WRITETEXT or UPDATETEXT will do what you want.
For myself, I always use REPLACE to get rid of those characters
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Ok, maybe I missed something all this time but I have never had a special character bother other than ' as long as wrapped in single quotes 'nnnnnn'. So what is everyone running into that I have yet to hit?
-
quote:
Ok, maybe I missed something all this time but I have never had a special character bother other than ' as long as wrapped in single quotes 'nnnnnn'. So what is everyone running into that I have yet to hit?
there are some more characters to watch. Look at this one:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
I've just visited the site and there is a new one out:
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
and they've added some I saw for the first time like
http://www.nextgenss.com/papers/tp-SQL2000.pdf
http://www.nextgenss.com/papers/asp.pdf
Hope you never hit it
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Ok, I understand if you are using injectable query strings that are built dynamically. But I wrap everything except a few views in SPs so I am covered. But I have seen people complaign about without injection possibility. So what am I missing that those are complaining about? (Just in case I have not come across or deal with without realizing)
-
Hi Antares686,
quote:
Ok, I understand if you are using injectable query strings that are built dynamically. But I wrap everything except a few views in SPs so I am covered.
not 100% bulletproof.
Read this link
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
I think it's all about injection, like you've mentioned before. And like you, I haven't experienced any issue with strings contains characters apart from '.
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Sorry, I use the Procedure ADO command type not a string built from the SP. And the account doesn't have any access other than an occiassional view hit which would allow anything to happen. Ok, just wanted to be sure I didn't have my fly open, so to speak.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply