sql injection problem

[Iceman]

I cant find any function in asp to do something like If Request.Form("whatever") Contains this then. I need a way to block out quotes from post forms, does anyone know how this can be done ?

[justsomeguy]

You can escape the quotes, and leave them as part of the text. You will need a function that will find/replace characters in a string. You can use this for VB:http://devguru.com/technologies/vbscript/13958.aspOr this for java script:http://devguru.com/technologies/javascript/10812.aspYou can replace a single quote with either \' or two quotes '', depending on the database. I think with SQL Server you can use two quotes.

[haibec]

I cant find any function in asp to do something like If Request.Form("whatever") Contains this then. I need a way to block out quotes from post forms, does anyone know how this can be done ?

<{POST_SNAPBACK}>

Please here:<%Function getString(str, num)Dim tmp tmp = str tmp = Replace(tmp, "'", "''") tmp = Replace(tmp, "%", "") tmp = Replace(tmp, "-", "") tmp = Replace(tmp, ",", "") tmp = Replace(tmp, "(", "") tmp = Replace(tmp, ")", "") tmp = Replace(tmp, "{", "") tmp = Replace(tmp, "}", "") tmp = Replace(tmp, ">", "") tmp = Replace(tmp, "<", "") tmp = Replace(tmp, """", "") tmp = Replace(tmp, "!", "") tmp = Replace(tmp, "+", "") tmp = Replace(tmp, ":", "") tmp = Replace(tmp, ";", "") tmp = Replace(tmp, "=", "") tmp = Replace(tmp, "&", "") tmp = Replace(tmp, "--", "") If Len(tmp) > num And num > 0 Then tmp = Left(tmp, num) End If getString = tmpEnd FunctionFunction getNumber(str) If str <> "" And IsNumeric(str) Then getNumber = CInt(str) Else getNumber = 0 End IfEnd FunctionFunction Killchar(str) Dim Badchar Dim Newchar Badchar=array("select","Drop",";","insert","delete","xp_") Newchar=str for i=0 to uBound(Badchar) Newchar = replace(Newchar,Badchar(i),"") next Killchar=Newchar End Function %>

[Iceman]

Thanks for your help, its solved the problem and has helped me a great deal, cant thank you enough guys cheers