Post reply

Special characters

  • June 17, 2003 at 4:20 am

    #81786

    Hi all,

    I am used to removing single quotes from my command strings or escaping them by inserting another single quote before. Now however I am trying to insert general text into a table that may include many of the 'special' characters like () ? / ' ". Is there a way to encapsulate an entire string so that SQL ignores any special characters within that encapsulation and just inserts it as text..?

    Thanks for any advice.

  • June 17, 2003 at 4:26 am

    #461675

    Hi Rolf,

    quote:

    I am used to removing single quotes from my command strings or escaping them by inserting another single quote before. Now however I am trying to insert general text into a table that may include many of the 'special' characters like () ? / ' ". Is there a way to encapsulate an entire string so that SQL ignores any special characters within that encapsulation and just inserts it as text..?

    maybe WRITETEXT or UPDATETEXT will do what you want.

    For myself, I always use REPLACE to get rid of those characters

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • June 17, 2003 at 4:45 am

    #461679

    Ok, maybe I missed something all this time but I have never had a special character bother other than ' as long as wrapped in single quotes 'nnnnnn'. So what is everyone running into that I have yet to hit?

  • June 17, 2003 at 4:53 am

    #461680

    quote:

    Ok, maybe I missed something all this time but I have never had a special character bother other than ' as long as wrapped in single quotes 'nnnnnn'. So what is everyone running into that I have yet to hit?

    there are some more characters to watch. Look at this one:

    http://www.nextgenss.com/papers/advanced_sql_injection.pdf

    I've just visited the site and there is a new one out:

    http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

    and they've added some I saw for the first time like

    http://www.nextgenss.com/papers/tp-SQL2000.pdf

    http://www.nextgenss.com/papers/asp.pdf

    Hope you never hit it

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • June 17, 2003 at 5:06 am

    #461682

    Ok, I understand if you are using injectable query strings that are built dynamically. But I wrap everything except a few views in SPs so I am covered. But I have seen people complaign about without injection possibility. So what am I missing that those are complaining about? (Just in case I have not come across or deal with without realizing)

  • June 17, 2003 at 5:20 am

    #461686

    Hi Antares686,

    quote:

    Ok, I understand if you are using injectable query strings that are built dynamically. But I wrap everything except a few views in SPs so I am covered.

    not 100% bulletproof.

    Read this link

    http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

    I think it's all about injection, like you've mentioned before. And like you, I haven't experienced any issue with strings contains characters apart from '.

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • June 17, 2003 at 5:28 am

    #461687

    Sorry, I use the Procedure ADO command type not a string built from the SP. And the account doesn't have any access other than an occiassional view hit which would allow anything to happen. Ok, just wanted to be sure I didn't have my fly open, so to speak.

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply