SQL Error Problem

pcxgamer · #1 09-Jan-2006, 23:38

I have finished writing a script and web page to submit information to a access DB, but I needed to ask for some advice on handling an error that I can get with this script.

The problem is with the SQL Statement lets say that some one write out the information to bee added to the database in the text area this problem is if that information they input has any ( ' ) ex: don't
This script will error out the reason why is that when this is passed in the script where ever the ( ' ) is that script thinks that is the end of the SQL statement and then errors out.

Other then not allowing special characters is there any way to fix this problem?

I was also wondering when adding information to a access DB there are other special characters that are added in this text area that don't cause problems with the SQL but are these ok to add to a DB?

pcxgamer · #2 10-Jan-2006, 22:31

I did finally coded a work around, I used javascript to strip out any characters that I didn't want in the fields. This is a good work around although it does it work on the client although were this script is being used there no need for it to be server side.

Code:

<script language="JavaScript">
<!--
function clearText() {
     document.turnover.add_mainframe.value=filterNum(document.turnover.add_mainframe.value)
     document.turnover.add_distributed.value=filterNum(document.turnover.add_distributed.value)
     document.turnover.add_network.value=filterNum(document.turnover.add_network.value)
     document.turnover.add_hardware.value=filterNum(document.turnover.add_hardware.value)
     document.turnover.add_miscellaneous.value=filterNum(document.turnover.add_miscellaneous.value)

     function filterNum(str) {
          re = /\`|\'|\"/g;
          // remove special characters like "$" and "," etc...
          return str.replace(re, "");
     }
}
//-->
</script>

crystalattice · #3 10-Jan-2006, 23:32

I would imagine you could use PHP to write a similar script if you wanted a server-side stripping. 'Course, I'm relearning PHP again so I may not know anything yet.

pcxgamer · #4 11-Jan-2006, 02:17

I'm not sure I know very little about PHP personally, but the language behind this SQL is ASP and VBScript. Work has me working on projects that reqiure me to learn ASP, VBScript, SQL, MSAccess, and Visual Basic to name a few.

So I'm sure there will be a lot more questions to come and some code as well as I hav already finished 3 projects to date. Looking back over some of the code that I have written even now is look really bad.

bugmaster · #5 06-Feb-2006, 15:59

I wouldnt rely on javascript for such use, the programming language you have should have filters and other functions to prevent "injection" such as this. It's more than a problem than a ' causing the insert to fail, you have to address it as a security concern with all your form posts

Regards,
Bugmaster

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Microsoft SQL Server :: SQL Server message 241, state 1, severity 16	lyuboe	MySQL / PHP Forum	0	11-May-2005 05:31
Does anyone have any e-books on Microsoft SQL Server 2004 ?	Masum	MySQL / PHP Forum	1	02-May-2005 11:47
DiscountASP.NET Launches SQL Reporting Services	dasp	Web Hosting Advertisements & Offers	0	19-Oct-2004 18:32
mysql vs sql - what is the difference	zabell	MySQL / PHP Forum	2	14-Jun-2003 17:32
Difference between MySQL and SQL	pcxgamer	MySQL / PHP Forum	2	14-Apr-2003 13:07

SQL Error Problem

Re: SQL Error Problem

Re: SQL Error Problem

Re: SQL Error Problem

Re: SQL Error Problem