Is there a way to replace characters? (1 Viewer)

hassaan

[HassaaN]
Local time
Today, 14:12
Joined
Jul 7, 2005
Messages
14
In ASP, is there a way to replace characters. What I mean by this is that I have a form in which users can submit their comments. Now what they do is they at times even use the singl-quotation (also known as an apostrophe) in their messages. Now when the message is being added to the database, that single-quotation causes an error and the user gets frustrated not knowing what to do.

I have used the following code:

message=request.QueryString("message")

set con=server.createobject("ADODB.connection")
con.open "provider=microsoft.jet.oledb.4.0;data source="&server.mappath("database.mdb")

post="INSERT into MessagesTable(Message,MsgBy)values('" & message & "','" & msgby & "')"
set post=con.execute(post)


Also, if this can be done, I suppose many thnigs like this can be done -- making text appear in bold and italics should be functioning just like it functions in these forums. I hope I have made myself clear!

Thanks,
Hassaan
 

david.brent

Registered User.
Local time
Today, 09:12
Joined
Aug 25, 2004
Messages
57
When you say ASP, do you mean VBScript? If so it's quite simple...

Replace(string, char(s) to replace, char(s) to replace them with)

Hope this helps.
 

Kodo

"The Shoe"
Local time
Today, 05:12
Joined
Jan 20, 2004
Messages
707
the entire replacement code you're looking for is

Replace(message,"'","''")

executing inline SQL leaves you open to SQL injection.. please consider using stored procedures.
 

hassaan

[HassaaN]
Local time
Today, 14:12
Joined
Jul 7, 2005
Messages
14
the code that you suggested hasn't worked in my case. dont know what's going wrong but it isn't working --- i copied and pasted your code.
also can you explain the last line in your reply (Kodo) about SQL injections...
 

Adeptus

What's this button do?
Local time
Today, 19:42
Joined
Aug 2, 2006
Messages
300
If you have your SQL command in your ASP, eg

post="INSERT into MessagesTable(Message,MsgBy)values('" & message & "','" & msgby & "')"
set post=con.execute(post)

then a malicious user could set "msgby" to something like

"0; xp_cmdshell 'format c:'"

anything after the semicolon is treated as a new command... they might need a few random quote marks to break out of the string delimiter but that's no great feat.
 

Users who are viewing this thread

Top Bottom