Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Insert into database....best practice

Status
Not open for further replies.
dallasweb

dallasweb

Programmer
Jan 4, 2001
45
US
When you insert user supplied information from a form(text, textarea) and insert into a database, what is the best method for keeping HTML, hacks and other crap from being inserted?

I'm currently using URLEncodedFormat to convert the info before insert and URLDecode during output.

I really don't want to do a Replace(crap, "XXXX", "all").

What is best practice for this?

Thanks!
 
Sort by date Sort by votes
why don't you simply insert data into database without URLEncodedFormat? (if you need URLEncodedFormat, you can always use it later during output, right?) Sylvano
dsylvano@hotmail.com

"every and each day when I learn something new is a small victory..."
 
Upvote 0 Downvote


If, for example a person is submitting a name "O'Brien" the single quote will kill my insert statement. There are other special characters that will kill the insert statement.

I'm looking for a standard method that CF programmers are using to catch these plus any hack attempts, etc...

I've looked at a few custom tags on dev exchange and most loop over the URL and FORM var's and replace problem characters and "drop table" statements.

Any best practice help is appreciated.

Thanks
 
Upvote 0 Downvote
what database are u using? on I have access and I am not escaping those characters but still have no problems whatsoever. you can test submission form there (use #### and '''' for user name and/or pass), you will not get any errors if u use # or ' Sylvano
dsylvano@hotmail.com

"every and each day when I learn something new is a small victory..."
 
Upvote 0 Downvote
We have a small script that changes all < signs to

& lt ;

(take those spaces out) and all > signs to

& gt ;

We have lots of warnings that HTML will be stripped, so it shows the tags instead of the actual HTML. If you're having problems with single quotes you can always use
Code: 
PreserveSingleQuotes()
to keep them safe.

Also, if you are doing an INSERT and someone puts in SQL it shouldn't do any damage. In other words, your statement will end up something like
Code: 
INSERT INTO mytable 
    (someval, anotherval)
VALUES 
    (12, 'DROP TABLE mytable')
which is fine (though might not make any sense). Hope that helps!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lollieleaver
  • Locked
  • Question
Dreamweaver CS4 - how can I make an Access database downloadable from my site?
Replies
2
Views
256
lollieleaver
lollieleaver
Floyd7
  • Locked
  • Question
Import XML Feed into Database
Replies
1
Views
184
philhege
philhege
RosieGp
  • Locked
  • Question
Insert and update/append in coldfusion
Replies
5
Views
421
philhege
philhege
MDEJAKE
  • Locked
  • Question
textarea (WYSIWYG text editor) - the html code generated won't save into my DB table.....
Replies
6
Views
312
LyndonOHRC
LyndonOHRC
lucidtech
  • Locked
  • Question
simple chat best practices
Replies
0
Views
135
lucidtech
lucidtech

Part and Inventory Search

Sponsor

Back
Top