garethtnash
asked on
HTML - ASP Server Encode (
Hello,
I have a form that inserts data into a database. I've just found that the data being inserted is resuling in the following -
(
The part of my insert statement that grabs the variable looks like -
Dim CMDProductInsert__name
CMDProductInsert__name = ""
if(UploadFormRequest("name ") <> "") then CMDProductInsert__name = Server.HTMLEncode(ProtectS QL(UploadF ormRequest ("name")))
Where ProtectSQL is -
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","(")
SQLString = Replace(SQLString, ")",")")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
I have a form that inserts data into a database. I've just found that the data being inserted is resuling in the following -
&#40;
The part of my insert statement that grabs the variable looks like -
Dim CMDProductInsert__name
CMDProductInsert__name = ""
if(UploadFormRequest("name
Where ProtectSQL is -
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","(")
SQLString = Replace(SQLString, ")",")")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
ASKER
the data inseted was (1)
I got back -
&#40;1&#41;
which when rendered displayes like (1)
How do I correct this, whilst still encoding my html and also protecting my sql?
thank you
I got back -
&#40;1&#41;
which when rendered displayes like (1)
How do I correct this, whilst still encoding my html and also protecting my sql?
thank you
If the value is "Robert (Bob)" then
ProtectSQL returns "Robert (Bob)"
HTMLEncode(ProtectSQL) encodes the & as &
Thusly, you get "Robert &amp40;Bob&amp41;"
If you do not desire such a result, you can remove the conversion of the () to after you have HTMLEncoded it.
e.g.,
value = FixParens(Server.HTMLEncod e(ProtectS QL(UploadF ormRequest ("name")))
where ProtectSQL is
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
and FixParens is
Function FixParens(SQLString)
SQLString = Replace(SQLString, "(","(")
SQLString = Replace(SQLString, ")",")")
SQLString = Trim(SQLString)
FixParens = SQLString
End Function
ProtectSQL returns "Robert (Bob)"
HTMLEncode(ProtectSQL) encodes the & as &
Thusly, you get "Robert &amp40;Bob&amp41;"
If you do not desire such a result, you can remove the conversion of the () to after you have HTMLEncoded it.
e.g.,
value = FixParens(Server.HTMLEncod
where ProtectSQL is
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
and FixParens is
Function FixParens(SQLString)
SQLString = Replace(SQLString, "(","(")
SQLString = Replace(SQLString, ")",")")
SQLString = Trim(SQLString)
FixParens = SQLString
End Function
Or
you can do as I do, and reverse everything.
You protect your inserted code with ProtectSQL()
And then to display it back to the page as ReverseSQL()
This keeps the code in place and protected.
you can do as I do, and reverse everything.
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","(")
SQLString = Replace(SQLString, ")",")")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
Function ReverseSQL(SQLRev)
SQLRev = Replace(SQLRev, "''", "'")
SQLRev = Replace(SQLRev,"<br />", vblf)
SQLRev = Replace(SQLRev,"(", "(")
SQLRev = Replace(SQLRev,")", ")")
SQLRev = Trim(SQLRev)
ReverseSQL = SQLRev
End Function
You protect your inserted code with ProtectSQL()
And then to display it back to the page as ReverseSQL()
This keeps the code in place and protected.
ASKER
Hi Guys,
Sorry, being dumb here -
Nap0leon, does your solution still protext the SQL statement from injection?
CarrzKiss I don't have ( I have &#40;
Sorry if I'm being dumb
Sorry, being dumb here -
Nap0leon, does your solution still protext the SQL statement from injection?
CarrzKiss I don't have ( I have &#40;
Sorry if I'm being dumb
I am trying to reproduce it and I cannot.
You are writing (1) or (40) and you are getting that value.
Remove the HTMLEncode and see if that will correct it and let me know.
You are writing (1) or (40) and you are getting that value.
Remove the HTMLEncode and see if that will correct it and let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you
And what is the question?