ansaurus

Question

Stop the user entering ' char

Answer 1

+7 A:

Use parameterized statements properly, and this will be handled for you.

Matthew Flaschen 2010-03-30 07:21:41

Answer 2

+2 A:

Uh-oh. Use parameterized queries.

Anton Gogolev 2010-03-30 07:22:14

I can't it is a dynamically generated sql string where some of the rownames are provided via web controls. It is an internal app running behind the firewall, authenticated against AD so users are trusted. Any other suggestions?

Phil 2010-03-30 07:25:09

Just because users are trusted doesn't mean they won't accidentally create a query that really messes things up....

MadKeithV 2010-03-30 07:27:42

@Phil - Even if you're building the statement up in code, you can still put a parameter in the statement at the point where you're currently copying a value in, and add the appropriate parameter to the parameters collection.

Damien_The_Unbeliever 2010-03-30 07:28:51

@Phil - also, better hope you're not in that 18% - http://www.schneier.com/blog/archives/2008/06/it_attacks_insi.html

Damien_The_Unbeliever 2010-03-30 07:30:14

Answer 3

+1 A:

You can escape ' character with two of them '', e.g.

sql += "Surname LIKE '%" & name.Replace("'", "''") & "%' AND "

and SQL will accept it then.

However, I would suggest using parameters.

Josip Medved 2010-03-30 07:23:12

This is subjective (hence no -1) but I'd really, really think twice before even suggesting manual escaping, even if you do point to using parameterized queries then.

Pasi Savolainen 2010-03-30 07:26:16

@Pasi . Why is this?

Phil 2010-03-30 07:29:12

@Pasi: I agree that not using parameters is not best solution, but if Phil doesn't want them, manual escaping will at least give working code. And I think that there is enough warnings in other posts anyhow. :)

Josip Medved 2010-03-30 07:44:03

Thanks, Im aware of the warnings and going to action them

Phil 2010-03-30 07:47:56

Answer 4

+1 A:

Use javascript onKeyDown event for the textbox - if the typed char is an apostrophe, you can simply drop it, so that it is not entered.
On the server side, you should simply replace "'" with "", just to make sure.
Be aware, that this is a very unsecure and unstable solution.

Dercsár 2010-03-30 07:31:52

Answer 5

A:

To actually answer the question, you can put an OnKeyDown javascript event on your textbox, detect the key that was pressed, and potentially cancel the input:

<input class="mainSearchBox" type="text" id="searchTerm" onkeydown="DetectIllegalKeys();">

<script>
function DetectIllegalKeys() {
    if (event.keyCode == 222) {
        event.returnValue = false;
    }
}
</script>

to instead change apostrophes to an alternate character:

<input class="mainSearchBox" type="text" id="searchTerm" onkeyup="ChangeSingleQuote();">

<script>
function ChangeSingleQuote() {
    var searchTerm = document.getElementById('searchTerm');
    searchTerm.value = searchTerm.value.replace(/'/g, "e"); 

}

I highly recommend that you not use this approach for this problem! Far better to fix the application to allow searches for titles of any character string.

Coxy 2010-03-30 07:35:33

I'm also guessing for this approach to work, your database will need to store O'Reilly books as OReilly books :-)

CResults 2010-03-30 08:41:10

Answer 6

A:

You need to understand why the error occurs and not just solve it symptomatically. Read through Microsoft's own document about SQL Injection to find out how to protect yourself from this class of security flaws.

http://msdn.microsoft.com/en-us/library/ms998271.aspx

(As several others pointed out, parameterized statements is the solution.)

kb 2010-03-30 07:55:14

Answer 7

A:

it needs revision

gnomey 2010-03-30 08:09:01

ansaurus

tags:

views:

answers:

Stop the user entering ' char

related questions