Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


SQL Statement refuses to complete itself in code

Posted on 2014-02-19
Medium Priority
Last Modified: 2014-04-29
On my website, I get people to register and then I email then a link which verifies their email address is correct. The link is simply their email address in an encrpyted format which is decrpted when they return back to the verification page.

Encrpting Code and decrpt is here

Private Function EncryptString(strString)

Dim CharHexSet, intStringLen, strTemp, strRAW, i, intKey, intOffSet
Randomize Timer

intKey = Round((RND * 1000000) + 1000000)   '##### Key Bitsize
intOffSet = Round((RND * 1000000) + 1000000)   '##### KeyOffSet Bitsize

    If IsNull(strString) = False Then
         strRAW = strString
         intStringLen = Len(strRAW)
                   For i = 0 to intStringLen - 1
                        strTemp = Left(strRAW, 1)
                        strRAW = Right(strRAW, Len(strRAW) - 1)
                        CharHexSet = CharHexSet & Hex(Asc(strTemp) * intKey) & Hex(intKey)
         EncryptString = CharHexSet & "|" & Hex(intOffSet + intKey) & "|" & Hex(intOffSet)
         EncryptString = ""
    End If
End Function

Private Function DeCryptString(strCryptString)

Dim strRAW, arHexCharSet, i, intKey, intOffSet, strRawKey, strHexCrypData

    strRawKey = Right(strCryptString, Len(strCryptString) - InStr(strCryptString, "|"))
    intOffSet = Right(strRawKey, Len(strRawKey) - InStr(strRawKey,"|"))
    intKey = HexConv(Left(strRawKey, InStr(strRawKey, "|") - 1)) - HexConv(intOffSet)
    strHexCrypData = Left(strCryptString, Len(strCryptString) - (Len(strRawKey) + 1))
     arHexCharSet = Split(strHexCrypData, Hex(intKey))
         For i=0 to UBound(arHexCharSet)
              strRAW = strRAW & Chr(HexConv(arHexCharSet(i))/intKey)
    DeCryptString = strRAW
End Function

Private Function HexConv(hexVar)
Dim hxx, hxx_var, multiply          
         IF hexVar <> "" THEN
              hexVar = UCASE(hexVar)
              hexVar = StrReverse(hexVar)
              DIM hx()
              REDIM hx(LEN(hexVar))
              hxx = 0
              hxx_var = 0
              FOR hxx = 1 TO LEN(hexVar)
                   IF multiply = "" THEN multiply = 1
                   hx(hxx) = mid(hexVar,hxx,1)
                   hxx_var = (get_hxno(hx(hxx)) * multiply) + hxx_var
                   multiply = (multiply * 16)
              hexVar = hxx_var
              HexConv = hexVar
         END IF
End Function
Private Function get_hxno(ghx)
         If ghx = "A" Then
              ghx = 10
         ElseIf ghx = "B" Then
              ghx = 11
         ElseIf ghx = "C" Then
              ghx = 12
         ElseIf ghx = "D" Then
              ghx = 13
         ElseIf ghx = "E" Then
              ghx = 14
         ElseIf ghx = "F" Then
              ghx = 15
         End If
         get_hxno = ghx
End Function

Open in new window

The verify page code is

 verifyid = Request.QueryString ("verifyid")

   emailid = DeCryptString (verifyid)

   strId  = CStr(emailid)
        LOGINSQL = "UPDATE tbl_members SET status = 'live' WHERE emailaddress = '" & strId &"'"
        response.Write LoginSQL
        Response.End ()
        set cmdHitting = Server.CreateObject("ADODB.Command")
            cmdHitting.ActiveConnection = DB_CON
            cmdHitting.CommandText = LOGINSQL
            cmdHitting.CommandType = 1
            cmdHitting.CommandTimeout = 0
            cmdHitting.Prepared = true

Open in new window


My problem is the SQL statement LOGINSQL stops at the email address and does not read the append code for the closed apostrophe.
Question by:souldj
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 33

Accepted Solution

Big Monty earned 672 total points
ID: 39872019
this is not a good way to build sql statements, google "sql injection" and you'll see why )

to fix this issue, you need to replace any single quotes with double quotes, so change

  strId  = CStr(emailid)


  strId  = CStr( Replace( emailid, "'", "''" ) )

Open in new window

or you would be better of using parameterized queries
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 664 total points
ID: 39872058
Are there special characters being sent to the url?  Maybe you need to urlencode the email before sending it to the url?

Try and see what the input looks like
verifyid = Request.QueryString ("verifyid")
 emailid = DeCryptString (verifyid)
response.write verifyid&"<br>"&emailid
response.end ' for testing

Open in new window

LVL 15

Assisted Solution

pateljitu earned 664 total points
ID: 39874121
I would agree with @Big Monty and @Scott Fell, it is better to replace single quotes to avoid SQL injection and also URL encode querystring

There seems to be some problem with decryption logic, but when I tried to wrap decrypted text around HTMLEncodeing I was able to view email address with complete SQL statement.

your verify code will looks as below:

verifyid = Request.QueryString ("verifyid")

   emailid = server.HTMLEncode(replace(DeCryptString(verifyid),"'","''"))

   strId  = CStr(emailid)
        LOGINSQL = "UPDATE tbl_members SET status = 'live' WHERE emailaddress = '" & strId 
        response.Write LoginSQL
        Response.End ()

Open in new window

LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 39874715
fyi... has just about everything you need including hash and encrypt/decrypt 

You have to download the entire file, but you only have to upload the one file that has the functions.  All open source.

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have heard of RFC822 date formats, they can be quite a challenge in SQL Server. RFC822 is an Internet standard format for email message headers, including all dates within those headers. The RFC822 protocols are available in detail at:   ht…
Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question