Even if you weren't worried about SQL injection, the query "SELECT * from tbluser WHERE User = '" & strUser & "'"
will not work if the strUser = "O'Toole". You should write a "sqlwrap" function that handles these types of issues, and use it all the time. Erik >-----Original Message----- >From: Graphfixz [mailto:info@;graphfixz.com] >Sent: November 6, 2002 11:23 AM >To: ActiveServerPages >Subject: RE: SQL query > > >if I am not mistaken doesn't 'SQL Injection' only work on SQL and >not really >a threat with Access? > >-----Original Message----- >From: Andrew Zetterman [mailto:AZetterman@;ACMCentral.com] >Sent: Wednesday, November 06, 2002 7:44 AM >To: ActiveServerPages >Subject: RE: SQL query > > >I posted the below answer... > >> strUser = Replace(strUser,"'","''") >> sqlstmt = "SELECT * from tbluser WHERE User = '" & strUser & "'" > >Of course I didn't explain why... > >Andrew > >-----Original Message----- >From: David L. Penton [mailto:david@;davidpenton.com] >Sent: Tuesday, November 05, 2002 3:10 PM >To: ActiveServerPages >Subject: RE: SQL query > > ><just_wondering> > >Why is it that 20 some-odd people posted responses and no one mentioned >using Replace() (or the possibility of a SQL injection attack) as well? > ></just_wondering> > >Promoting best practices should be on the mind of all of us. I am even >guilty of this in this scenario. I should have mentioned that even in >MSAccess you can use a Command object for querydefs or parameterized >queries in the VBScript code itself. > >Not trying to get into a fight here...just wondering... > >David L. Penton, Microsoft MVP >JCPenney Application Specialist / Lead >"Mathematics is music for the mind, and Music is Mathematics for the >Soul. - J.S. Bach" [EMAIL PROTECTED] > >Do you have the VBScript Docs or SQL BOL installed? If not, why not? >VBScript Docs: http://www.davidpenton.com/vbscript >SQL BOL: http://www.davidpenton.com/sqlbol > > >-----Original Message----- >From: David L. Penton [mailto:david@;davidpenton.com] > >' are missing: > >' don't use SELECT * >' write out the column names >' defeat SQL Injection with Replace() or similar function sqlstmt = >"SELECT * from [tbluser] WHERE [User] = '" & _ > Replace(strUser, "'", "''") & "'" > > >-----Original Message----- >From: Jon Barnhardt [mailto:jon_barnhardt@;educ8.org] > >I'm doing a SIMPLE query against an access database and for some reason >it doesn't like me. > >here is the statement: >sqlstmt = "SELECT * from tbluser WHERE User =" & strUser >Here is the error: >Microsoft OLE DB Provider for ODBC Drivers error '80040e14' >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing >operator) in query expression 'User =Chris K'. > >what gives?? I just can't see it today... > >Thanks again for the help >Jon > > >--- >You are currently subscribed to activeserverpages as: >[EMAIL PROTECTED] To unsubscribe send a blank email to >%%email.unsub%% > >--- >You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] >To unsubscribe send a blank email to >%%email.unsub%% > > > >--- >You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] >To unsubscribe send a blank email to >%%email.unsub%% > --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
