Classic ASP Discussion - ’ replacement

Print Page | Close Window

’ replacement

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=10012
Printed Date: 31 March 2026 at 4:31pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: ’ replacement

Posted By: zMaestro
Subject: ’ replacement
Date Posted: 15 April 2004 at 12:21pm

Hi,

I want to replace the ' mark this mark (') since it is entered in text box and supposed to be send to database. and sure it gives error in the sql statement since it closes the statement before the job is done.

how can this be done through the replacement code, i.e. what character am I supposed to exchange it with?

thanks again :)

Replies:

Posted By: Semikolon
Date Posted: 15 April 2004 at 1:21pm

strInput = Replace(strInput, "'", "'")

ASCII Table

Character	Special sign	Decimal sign
space
!		!
"	"	"
#		#
$		$
%		%
&	&	&
'		'
(		(
)		)
*		*
+		+
,		,
-		-
.		.
/		/
0		0
1		1
2		2
3		3
4		4
5		5
6		6
7		7
8		8
9		9
:		:
;		;
<

Posted By: Mart
Date Posted: 15 April 2004 at 1:23pm

If your getting an error when you put ' in it means someone could do a sql injection. Do a google for sql injection.

Posted By: zMaestro
Date Posted: 17 April 2004 at 6:29pm

oh no :(

the & character gives me error too since it is sent as querystring

how can I replace the & character?

Posted By: Semikolon
Date Posted: 18 April 2004 at 5:08am

& LOL

before sending the data to the querystring, run Server.URLEncode() or Server.HTMLEncode()

Posted By: zMaestro
Date Posted: 18 April 2004 at 6:33am

what do they do?

Posted By: Mart
Date Posted: 18 April 2004 at 6:35am

Turn things like & into &... But if you get an error because an & is present you will still get an error with &

Posted By: Semikolon
Date Posted: 18 April 2004 at 7:02am

is it possible to transfer it in the header instead of the URL?

Posted By: Mart
Date Posted: 18 April 2004 at 7:36am

It's not the URL which is giving him a problem. It is inserting ampards into an sql query and executing it.

Posted By: Semikolon
Date Posted: 18 April 2004 at 9:24am

zMaestro wrote:

oh no :(

the & character gives me error too since it is sent as querystring

how can I replace the & character?

I guess he sends it over the URL before inserting into the database

Posted By: Mart
Date Posted: 18 April 2004 at 9:38am

Yes but the error isn't being caused by a & in the URL. Its being caused when he in inserting it into a database. What Datbase are you using? If your using SQL Server consider using Stored Procedures, then you wont have any of these problems.

Posted By: michael
Date Posted: 18 April 2004 at 11:21am

With asp you will have those problems with SP's as well because there is no way (to my knowledge) to treat sp's paramters as literals. And Semikolon is right, if you have a & in your querystring it give you problems also as it will truncate the QS at that point.

-------------
http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker

Posted By: ljamal
Date Posted: 18 April 2004 at 11:33am

Instead of using GET, POST the form and you will not have the querystring problem with ampersands.

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: Semikolon
Date Posted: 18 April 2004 at 12:04pm

Mart wrote:

Yes but the error isn't being caused by a & in the URL. Its being caused when he in inserting it into a database. What Datbase are you using? If your using SQL Server consider using Stored Procedures, then you wont have any of these problems.

at least he said it was in the querystring and SQL wont get problems with & as Encoded HTML (which inserts without problems) uses &

If the data comes from a form, use POST instead of GET (as ljamal said), else you may store it in cookies or sessions

Posted By: zMaestro
Date Posted: 18 April 2004 at 3:56pm

it's not a form :(

here is an example:
http://www.egymalls.com/Catalog.asp?Field=Category&Cat=Electrical%20Appliances&FieldContent=Item&Sub=006-025-087 - http://www.egymalls.com/Catalog.asp?Field=Category&Cat=E lectrical%20Appliances&FieldContent=Item&Sub=006-025 -087

If there is the character & as in (Cat=Home & Acessories)it will be corrupt the url.

I see the space   is converted into %20
Is there a value for the character & or ' in the same way???

Posted By: Semikolon
Date Posted: 18 April 2004 at 4:15pm

%26

Response.Write(use Server.URLEncode("characters")) and you willl get the value working with URLs

Posted By: zMaestro
Date Posted: 29 April 2004 at 9:27am

thanks... server.URLEncode() did the job..