Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 5 of 5

Thread: sql injects

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    10
    Member #
    12706
    hi
    ive built a forum only really a simple one but when a user signs up and puts a ' in the username or password it will then thrwo a paddy fit and crash
    to stop this problem in the posts ive used the replace code to replace ' with ` this works well
    i also got ti to work with usernames but it dont liek the passwords
    has any got code that will check the data entered then tell the user that they cant enter ' and send them back to the sign up page
    also can you send the user "back" using asp code i knwo u can in java but wondered if it was possiable in asp
    thanks in advance

  2.  

  3. #2
    ACW
    ACW is offline
    Member
    Join Date
    Jul 2004
    Posts
    82
    Member #
    6554
    Instead of replacing ' with `, try replacing ' with ''.
    Code:
    Replace(value, "'", "''")
    I would also excape other characters such as -- (the charactes use to insert a comment in MS SQL).
    Affordable Business Web Site Hosting by Geo Redundant Hosting

  4. #3
    Junior Member
    Join Date
    Mar 2006
    Posts
    10
    Member #
    12706
    y would i replace ' with ''?
    is there a way of checking before i go to the next page like using java? so if the password contains ' then i want a msg to tell them they cant use '

    i have used java b4 but not confident with it

  5. #4
    ACW
    ACW is offline
    Member
    Join Date
    Jul 2004
    Posts
    82
    Member #
    6554
    Quote Originally Posted by charcroft
    y would i replace ' with ''?
    Because that is one way to escape that character. It will insert (or search for) just one single quote on the database.
    Quote Originally Posted by charcroft
    is there a way of checking before i go to the next page like using java? so if the password contains ' then i want a msg to tell them they cant use '
    I'm not sure what you mean by "going to the next page" nor am I familiar with Java but you can certainly check for whatever you want and redirect the browser where ever you want depending on the results. For example...
    Code:
    If InStr(1, strPassword, "'") > 0 Then
    	'There is at least one single quote
    	Response.Redirect "hassinglequote.asp"
    Else
    	'There is no one single quote
    	Response.Redirect "nosinglequote.asp"
    End If
    Affordable Business Web Site Hosting by Geo Redundant Hosting

  6. #5
    Junior Member
    Join Date
    Mar 2006
    Posts
    10
    Member #
    12706
    ok cheers i will try that bloddy anoying these sql bugs rest of the site works nice but just open to input errors


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:12 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com