Link to home
Start Free TrialLog in
Avatar of garethtnash
garethtnashFlag for United Kingdom of Great Britain and Northern Ireland

asked on

HTML - ASP Server Encode (

Hello,

I have a form that inserts data into a database. I've just found that the data being inserted is resuling in the following -

(

The part of my insert statement that grabs the variable looks like -

Dim CMDProductInsert__name
CMDProductInsert__name = ""
if(UploadFormRequest("name") <> "") then CMDProductInsert__name = Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

Where  ProtectSQL is -

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
Avatar of Wayne Barron
Wayne Barron
Flag of United States of America image
What are you inserting?
And what is the question?
Avatar of garethtnash
garethtnash
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

the data inseted was (1)

I got back -

&amp;#40;1&amp;#41;

which when rendered displayes like &#40;1&#41;

How do I correct this, whilst still encoding my html and also protecting my sql?

thank you
Avatar of nap0leon
nap0leon
If the value is "Robert (Bob)" then

ProtectSQL returns "Robert &#40;Bob&#41;"
HTMLEncode(ProtectSQL) encodes the & as &amp;
Thusly, you get "Robert &amp;amp40;Bob&amp;amp41;"

If you do not desire such a result, you can remove the conversion of the () to after you have HTMLEncoded it.

e.g.,
value = FixParens(Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

where ProtectSQL is
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

and FixParens is
Function FixParens(SQLString)
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
FixParens = SQLString
End Function
Avatar of Wayne Barron
Wayne Barron
Flag of United States of America image
Or
you can do as I do, and reverse everything.

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

Function ReverseSQL(SQLRev)
SQLRev = Replace(SQLRev, "''", "'")
SQLRev = Replace(SQLRev,"<br />", vblf)
SQLRev = Replace(SQLRev,"&#40;", "(")
SQLRev = Replace(SQLRev,"&#41;", ")")
SQLRev = Trim(SQLRev)
ReverseSQL = SQLRev
End Function

Open in new window


You protect your inserted code with ProtectSQL()
And then to display it back to the page as ReverseSQL()

This keeps the code in place and protected.
Avatar of garethtnash
garethtnash
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Hi Guys,

Sorry, being dumb here -

Nap0leon, does your solution still protext the SQL statement from injection?

CarrzKiss I don't have &#40; I have &amp;#40;

Sorry if I'm being dumb
Avatar of Wayne Barron
Wayne Barron
Flag of United States of America image
I am trying to reproduce it and I cannot.
You are writing (1) or (40) and you are getting that value.

Remove the HTMLEncode and see if that will correct it and let me know.
ASKER CERTIFIED SOLUTION
Avatar of Wayne Barron
Wayne Barron
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of nap0leon
nap0leon
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of garethtnash
garethtnash
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

thank you