PHP-style Magic Quotes in ASP?

Forum Moderators: open

Message Too Old, No Replies

PHP-style Magic Quotes in ASP?

mcfly

1:41 pm on Nov 1, 2004 (gmt 0)

Hi all,

Does anyone know if there's a way in ASP of automatically replacing quote characters with " like 'magic quotes' does in PHP?

If not, is there an alternative to doing a replace operation on each and every text input for a whole website to protect it against quotes messing up SQL queries?

Any suggestions appreciated. Thanks

natty

2:15 pm on Nov 2, 2004 (gmt 0)

as far as i know, asp doesnt help you there at all.
i still use a replace function on all inputs to stop screwy quote action
by no means does that mean its the correct thing to do though :)
is it that you are trying to fill the db with data with quotes in?
or just removing them or replacing them with 2 quotes instead of just the one..?

aspdaddy

12:39 pm on Nov 3, 2004 (gmt 0)

Re-write the queries as a stored procedures and pass the inputs as parameters.

You shouldnt ever run unvalidated text inputs in SQL queries, but you can make the validation easier by writing your own functions and looping the whole Response.Form collection.

HTH

mcfly

4:44 pm on Nov 4, 2004 (gmt 0)

Thanks for the advice guys.

In the end, I got round the problem of having to do a replace on every post/get variable by writing a function to automatically loop through all the passed variables, replace any dubious characters, then store the results in a VBScript dictionary so I could reference them just like I would if they were still part of the request.form or request.querystring collections.

Cheers!