Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Nov 8th, 2005, 9:53 PM   #1
louis99
Newbie
 
Join Date: Nov 2005
Posts: 1
Rep Power: 0 louis99 is on a distinguished road
help: single quote(') cause error
Hi, I am new here

I have a text box, I put data from text box into a database.

For example, if I put the word That in text box. The query is successfully executed. But if I put That's then it will fails because a ' will causes the error.

What should I do to take care of that?

thanks
louis99 is offline   Reply With Quote
Old Nov 8th, 2005, 10:13 PM   #2
iignotus
Professional Programmer
 
iignotus's Avatar
 
Join Date: Apr 2005
Location: Nowhere Special
Posts: 466
Rep Power: 4 iignotus is on a distinguished road
Send a message via AIM to iignotus
Not sure about VB, but do you have to escape quotes?
(Toggle Plain Text) 
\'
instead of just
(Toggle Plain Text) 
'
.
__________________
(Toggle Plain Text) 
% rc4 hexkey < input > output
#define S ,t=s[i],s[i]=s[j],s[j]=t /* rc4 hexkey <file */
unsigned char k[256],s[256],i,j,t;main(c,v,e)char**v;{++v;while(++i)s[ 
i]=i;for(c=0;*(*v)++;k[c++]=e)sscanf((*v)++-1,"%2x",&e);while(j+=s[i]
+k[i%c]S,++i);for(j=0;c=~getchar();putchar(~c^s[t+=s[i]]))j+=s[++i]S;}
iignotus is offline   Reply With Quote
Old Nov 9th, 2005, 12:18 AM   #3
bl00dninja
Programming Guru
 
bl00dninja's Avatar
 
Join Date: Oct 2004
Location: namespace std
Posts: 1,246
Rep Power: 5 bl00dninja is on a distinguished road
not really sure about your implementation here..is it just a coincidence that that particular charcter is also the one that designates comments in VB?
__________________
i put on my robe and wizard hat...

Have you ever heard of Plato, Aristotle, Socrates?...Morons.
bl00dninja is offline   Reply With Quote
Old Nov 9th, 2005, 2:58 AM   #4
InfoGeek
Professional Programmer
 
InfoGeek's Avatar
 
Join Date: Jun 2005
Location: India, The great.
Posts: 435
Rep Power: 4 InfoGeek is on a distinguished road
If you're executing a SQL insert query, then you need to escape the single quote(') by preceding it with another single quote(').
__________________
PFO - My daily dose of technology.
InfoGeek is offline   Reply With Quote
Old Nov 9th, 2005, 3:48 PM   #5
Rory
Expert Programmer
 
Rory's Avatar
 
Join Date: Jan 2005
Location: London
Posts: 542
Rep Power: 4 Rory is on a distinguished road
Send a message via MSN to Rory
Yeah it's your sanitization of input that's the problem. Basically whatever language, if you're taking user input and shoving it into a command of some form, be it ping.exe or sql, there's always the possibilities of errors or even code injection if you do not correctly constrain, sanitize and or reject user input before forming your command string. For example, I could put an SQL comment "--" in your textbox and depending what you were using wipe the database, access confidential information or even (say in access) use the stored procedure xp_command to execute arbitrary commands as SYSTEM (==root). OK, not a big concern for this project you might think, but you'd appreciate the importance of big_k stopping people because they have strange usernames executing code on the pfo servers.

Constrain, reject, sanitize!

In this instance, you should write a function that validates a token in an SQL statement correctly, in every possible way you can think of. Length, data type, range, format. If in doubt, reject the input. OK, so now you've got it escaping the quote with a slash or whatever. What about if I told you that the big-endian extended characters c0af e080af 252f 35c 253563 3563 255c u005c are all various unicode incarnation of the back/forward slash that Microsoft miserably failed to validate in IIS4, leading to trivial URL directory traversal attacks (microsoft.com/..%c0%af..%c0%af..%c0%af..%c0%af../windows/system32/crash.exe) that could let an attacker manipulate and run arbitrary files on the server.

This is why personally I avoid taking input that has come from the user and directly transferring it into something else like an SQL string: even if it's just the other side of a select statement, by not copying it directly you are eliminating the chance that some new extension to the SQL language that uses the # character as an escape sequence will not cause a security hole. Nevertheless, if you absolutely must, their are wrapper libraries or alternatively a good selection of regular expressions that "clean" stuff ready for SQL concatanization.

</rant>
Rory is offline   Reply With Quote
Old Nov 9th, 2005, 4:03 PM   #6
DaWei
Resident Grouch
 
DaWei's Avatar
 
Join Date: Jun 2005
Posts: 6,453
Rep Power: 10 DaWei is on a distinguished road
Great post, Rory. My frequently-increasing despair is salved by such.
__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code.
Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers
DaWei is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 6:26 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC