New topic: Sanatization error?
<http://forums.realsoftware.com/viewtopic.php?t=47148> Page 1 of 1 [ 5 posts ] Previous topic | Next topic Author Message BrianOBrien Post subject: Sanatization error?Posted: Mon Mar 04, 2013 1:23 pm Joined: Wed Jul 07, 2010 2:55 pm Posts: 665 Location: University Of Calgary, Faculty Of Medicine I'm getting an sql syntax statement error when the string I'm searching for = DAILY QC' I sanitize my strings with the method below, but this one case still messes up. WHERE StuDes = 'DAILY QC\''Function PrepSQL(extends value as string, escapeChar as string= "\") As String if escapeChar = "" then escapeChar = "\" // Won't allow a blank escape character const kSingleQuote = "'" const kDoubleQuote = """" const kBar = "|" static nullChar as string = chr( 0 ) static returnChar as string = chr( 13 ) static linefeedChar as string = chr( 10 ) static code26Char as string = chr( 26 ) dim replacementEscapeChar as string = escapeChar + escapeChar dim replacementSingleQuoteChar as string = escapeChar + kSingleQuote dim replacementDoubleQuoteChar as string = escapeChar + kDoubleQuote dim replacementBarChar as string = escapeChar + kBar dim replacementNullChar as string = escapeChar + nullChar dim replacementReturnChar as string = escapeChar + returnChar dim replacementLinefeedChar as string = escapeChar + linefeedChar dim replacementCode26Char As String = escapeChar + code26Char value = value.ReplaceAll( escapeChar, replacementEscapeChar ) value = value.ReplaceAll( kSingleQuote, replacementSingleQuoteChar ) value = value.ReplaceAll( kDoubleQuote, replacementDoubleQuoteChar ) value = value.ReplaceAll( kBar, replacementBarChar ) value = value.ReplaceAll( nullChar, replacementNullChar ) value = value.ReplaceAll( returnChar, replacementReturnChar ) value = value.ReplaceAll( linefeedChar, replacementLinefeedChar ) value = value.ReplaceAll( code26Char, replacementCode26Char ) return value End Function _________________ If at first you don't succeed... Try REALBasic. Top timhare Post subject: Re: Sanatization error?Posted: Mon Mar 04, 2013 3:31 pm Joined: Fri Jan 06, 2006 3:21 pm Posts: 12100 Location: Portland, OR USA Are you sure \' is the proper escape sequence? Most db's use '' (two single quotes) to make a literal single quote. Some use \'. Check the documentation for your db. Top Thom McGrath Post subject: Re: Sanatization error?Posted: Mon Mar 04, 2013 4:26 pm Site Admin Joined: Tue May 06, 2008 1:07 pm Posts: 1392 Location: NotEvenOnTheMap, CT Tim is probably correct, but I'll point you to prepared statements and have you let the database handle this for you. _________________ Thom McGrath - @tekcor Web Framework Architect, Real Software, Inc. Top HMARROQUINC Post subject: Re: Sanatization error?Posted: Mon Mar 04, 2013 7:11 pm Joined: Sun Jan 25, 2009 5:11 pm Posts: 496 Location: Guatemala, Central America What type of DB is this? I haven't worked with Oracle in ages but I believe this one is probably an Oracle DB, I think I remember having to set the escape character. Also as Thom mentioned, have a look at prepared statements _________________ Future RS guru. Ride the world! Top timhare Post subject: Re: Sanatization error?Posted: Mon Mar 04, 2013 7:29 pm Joined: Fri Jan 06, 2006 3:21 pm Posts: 12100 Location: Portland, OR USA As Thom mentioned, use a prepared statement. Top Display posts from previous: All posts1 day7 days2 weeks1 month3 months6 months1 year Sort by AuthorPost timeSubject AscendingDescending Page 1 of 1 [ 5 posts ] -- Over 1500 classes with 29000 functions in one REALbasic plug-in collection. The Monkeybread Software Realbasic Plugin v9.3. http://www.monkeybreadsoftware.de/realbasic/plugins.shtml [email protected]
