List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:September 27 2001 6:54pm
Subject:RE: Escape strategy for web user form entry
View as plain text  
At 1:36 PM -0500 9/27/01, Paul DuBois wrote:
>At 7:32 PM +0100 9/27/01, johnlucas-Arluna wrote:
>>Apologies for the lack of info in my last message, here's some further
>>details.
>>
>>I am using Visual Basic accessing the database through a self-developed
>>ActiveX DLL to handle the updates.
>>
>>I basically open an ADODB recordset object and populate a custom mysqlFields
>>class with the field values, when the VBScript ASP page needs to update the
>>recordset, it passes the SQL to open it, then populates the fields from the
>>form, using:
>>
>>rsmysql.fields("blahblah") = request.form("blahblah").
>>
>>When I do rsmysql.update, the custom ActiveX DLL, creates the SQL update
>>statement and executes it through the connection object.
>>
>>When creating the Update SQL statement that when I do the escape characters
>>and if necessary do the HTMLEncode.
>
>I don't know VB, but in other languages, this wouldn't be quite right.
>You don't HTML-encode information for inserting it into the database, you
>escape special characters in SQL.  Those aren't the same as the special
>characters for SQL...

Clearly what I said there makes no sense...  I meant to say that characters
that are special in SQL are not the same as the characters that are special
in HTML.

-- 
Paul DuBois, paul@stripped
Thread
Escape strategy for web user form entryjohnlucas-Arluna27 Sep
  • Re: Escape strategy for web user form entryPaul DuBois27 Sep
    • RE: Escape strategy for web user form entryjohnlucas-Arluna27 Sep
      • RE: Escape strategy for web user form entryPaul DuBois27 Sep
        • RE: Escape strategy for web user form entryPaul DuBois27 Sep
  • Re: Escape strategy for web user form entryCarl Troein27 Sep