HTML - ASP Server Encode (

Hello,

I have a form that inserts data into a database. I've just found that the data being inserted is resuling in the following -

(

The part of my insert statement that grabs the variable looks like -

Dim CMDProductInsert__name
CMDProductInsert__name = ""
if(UploadFormRequest("name") <> "") then CMDProductInsert__name = Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

Where  ProtectSQL is -

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
garethtnashAsked:
Who is Participating?
 
Wayne BarronConnect With a Mentor Author, Web DeveloperCommented:
Thats it.
Server.HTMLEncode

Try this

Server.HTMLEncode(ReverseSQL())

This should resolve it
0
 
Wayne BarronAuthor, Web DeveloperCommented:
What are you inserting?
And what is the question?
0
 
garethtnashAuthor Commented:
the data inseted was (1)

I got back -

&amp;#40;1&amp;#41;

which when rendered displayes like &#40;1&#41;

How do I correct this, whilst still encoding my html and also protecting my sql?

thank you
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
nap0leonCommented:
If the value is "Robert (Bob)" then

ProtectSQL returns "Robert &#40;Bob&#41;"
HTMLEncode(ProtectSQL) encodes the & as &amp;
Thusly, you get "Robert &amp;amp40;Bob&amp;amp41;"

If you do not desire such a result, you can remove the conversion of the () to after you have HTMLEncoded it.

e.g.,
value = FixParens(Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

where ProtectSQL is
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

and FixParens is
Function FixParens(SQLString)
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
FixParens = SQLString
End Function
0
 
Wayne BarronAuthor, Web DeveloperCommented:
Or
you can do as I do, and reverse everything.

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

Function ReverseSQL(SQLRev)
SQLRev = Replace(SQLRev, "''", "'")
SQLRev = Replace(SQLRev,"<br />", vblf)
SQLRev = Replace(SQLRev,"&#40;", "(")
SQLRev = Replace(SQLRev,"&#41;", ")")
SQLRev = Trim(SQLRev)
ReverseSQL = SQLRev
End Function

Open in new window


You protect your inserted code with ProtectSQL()
And then to display it back to the page as ReverseSQL()

This keeps the code in place and protected.
0
 
garethtnashAuthor Commented:
Hi Guys,

Sorry, being dumb here -

Nap0leon, does your solution still protext the SQL statement from injection?

CarrzKiss I don't have &#40; I have &amp;#40;

Sorry if I'm being dumb
0
 
Wayne BarronAuthor, Web DeveloperCommented:
I am trying to reproduce it and I cannot.
You are writing (1) or (40) and you are getting that value.

Remove the HTMLEncode and see if that will correct it and let me know.
0
 
nap0leonConnect With a Mentor Commented:
In my solution, I merely moved the () changes to outside of the HTMLEncode so that the &s in your &#40;  replacement you were running do not get encoded to &amp;.

The code would still be protected as well as your initial method.

Personally, I prefer carrzkiss' method... anything I manually change, I manually change back.

But, that presumes the data is only being consumed by your webpages... if a reporting tool or similar is accessing the data in the DB directly, then you will need it to be sanitized before it is inserted (which leads us back to the 3 step approach).
0
 
garethtnashAuthor Commented:
thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.