List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:September 27 2001 6:36pm
Subject:RE: Escape strategy for web user form entry
View as plain text  
At 7:32 PM +0100 9/27/01, johnlucas-Arluna wrote:
>Apologies for the lack of info in my last message, here's some further
>details.
>
>I am using Visual Basic accessing the database through a self-developed
>ActiveX DLL to handle the updates.
>
>I basically open an ADODB recordset object and populate a custom mysqlFields
>class with the field values, when the VBScript ASP page needs to update the
>recordset, it passes the SQL to open it, then populates the fields from the
>form, using:
>
>rsmysql.fields("blahblah") = request.form("blahblah").
>
>When I do rsmysql.update, the custom ActiveX DLL, creates the SQL update
>statement and executes it through the connection object.
>
>When creating the Update SQL statement that when I do the escape characters
>and if necessary do the HTMLEncode.

I don't know VB, but in other languages, this wouldn't be quite right.
You don't HTML-encode information for inserting it into the database, you
escape special characters in SQL.  Those aren't the same as the special
characters for SQL.  In general, you do this kind of this:

- Take the input from your form.  If necessary, HTML-decode it to convert
HTML entities such as &lt; or &gt; to < or > (some languages do this for
you automatically.
- To use the input in a query, perform SQL escaping on it, or else use
placeholders.  I don't know what capabilities VB has.  In Perl DBI, you
can call a method quote() that properly escapes things like quotes
and backslashes for you.  Or if you bind data values to placeholders in
the query, the placeholder mechanism takes care of escaping special
characters for you.
- If you want to redisplay the input in a second Web page, *then*
you HTML-encode it.

>
>Thanks for any advice.
>
>John.
>
>By-the-way, if anyone wants the VB source for the ActiveX DLL I've
>developed, send me a mail and I'd be happy to send on to you.
>
>I can't guarentee all what it does of course, but it may give a start for
>those that are having problem with wide tables, and want to hide the
>implementation of the updates from your ASP scripts.


-- 
Paul DuBois, paul@stripped
Thread
Escape strategy for web user form entryjohnlucas-Arluna27 Sep
  • Re: Escape strategy for web user form entryPaul DuBois27 Sep
    • RE: Escape strategy for web user form entryjohnlucas-Arluna27 Sep
      • RE: Escape strategy for web user form entryPaul DuBois27 Sep
        • RE: Escape strategy for web user form entryPaul DuBois27 Sep
  • Re: Escape strategy for web user form entryCarl Troein27 Sep