Probably easier just to create a business rule that says Users cannot be Irish.......
Quoting Erik Petersen <[EMAIL PROTECTED]>: > > Even if you weren't worried about SQL injection, the query > > "SELECT * from tbluser WHERE User = '" & strUser & "'" > > will not work if the strUser = "O'Toole". You should write a "sqlwrap" > function that handles these types of issues, and use it all the time. > > Erik > > > >-----Original Message----- > >From: Graphfixz [mailto:info@;graphfixz.com] > >Sent: November 6, 2002 11:23 AM > >To: ActiveServerPages > >Subject: RE: SQL query > > > > > >if I am not mistaken doesn't 'SQL Injection' only work on SQL and > >not really > >a threat with Access? > > > >-----Original Message----- > >From: Andrew Zetterman [mailto:AZetterman@;ACMCentral.com] > >Sent: Wednesday, November 06, 2002 7:44 AM > >To: ActiveServerPages > >Subject: RE: SQL query > > > > > >I posted the below answer... > > > >> strUser = Replace(strUser,"'","''") > >> sqlstmt = "SELECT * from tbluser WHERE User = '" & strUser & "'" > > > >Of course I didn't explain why... > > > >Andrew > > > >-----Original Message----- > >From: David L. Penton [mailto:david@;davidpenton.com] > >Sent: Tuesday, November 05, 2002 3:10 PM > >To: ActiveServerPages > >Subject: RE: SQL query > > > > > ><just_wondering> > > > >Why is it that 20 some-odd people posted responses and no one mentioned > >using Replace() (or the possibility of a SQL injection attack) as well? > > > ></just_wondering> > > > >Promoting best practices should be on the mind of all of us. I am even > >guilty of this in this scenario. I should have mentioned that even in > >MSAccess you can use a Command object for querydefs or parameterized > >queries in the VBScript code itself. > > > >Not trying to get into a fight here...just wondering... > > > >David L. Penton, Microsoft MVP > >JCPenney Application Specialist / Lead > >"Mathematics is music for the mind, and Music is Mathematics for the > >Soul. - J.S. Bach" [EMAIL PROTECTED] > > > >Do you have the VBScript Docs or SQL BOL installed? If not, why not? > >VBScript Docs: http://www.davidpenton.com/vbscript > >SQL BOL: http://www.davidpenton.com/sqlbol > > > > > >-----Original Message----- > >From: David L. Penton [mailto:david@;davidpenton.com] > > > >' are missing: > > > >' don't use SELECT * > >' write out the column names > >' defeat SQL Injection with Replace() or similar function sqlstmt = > >"SELECT * from [tbluser] WHERE [User] = '" & _ > > Replace(strUser, "'", "''") & "'" > > > > > >-----Original Message----- > >From: Jon Barnhardt [mailto:jon_barnhardt@;educ8.org] > > > >I'm doing a SIMPLE query against an access database and for some reason > >it doesn't like me. > > > >here is the statement: > >sqlstmt = "SELECT * from tbluser WHERE User =" & strUser > >Here is the error: > >Microsoft OLE DB Provider for ODBC Drivers error '80040e14' > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing > >operator) in query expression 'User =Chris K'. > > > >what gives?? I just can't see it today... > > > >Thanks again for the help > >Jon > > > > > >--- > >You are currently subscribed to activeserverpages as: > >[EMAIL PROTECTED] To unsubscribe send a blank email to > >%%email.unsub%% > > > >--- > >You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] > >To unsubscribe send a blank email to > >%%email.unsub%% > > > > > > > >--- > >You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] > >To unsubscribe send a blank email to > >%%email.unsub%% > > > > > --- > You are currently subscribed to activeserverpages as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > %%email.unsub%% > --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
