ESCAPING USER ENTERED CHARACTERS.

[Don Grover]

Hi
I have some blind users who use voice translation software to enter data
into an MSQL 2000 db using ASP (Web)
Occasionally I get ' or other puctuation characters that fail the inserts or
updates.

I handle these using the replace function but some still get through !!!

Is there a list of escape characters I should handle differently and can
someone offer (help) with a asp function that covers most if not all those
pesky charcaters.

Regards
Don Grover

ps. Its hard getting them to read error screens, i'd rather cover better
initially.

[Ken Schaefer]

Hi

Two things:
a) you should not try to look for malicious characters - you should filter
by using known *good* characters. Everything else should be stripped,
replaced, or an error generated

b) If you use the ADO Command Object, and append Parameter objects, then ADO
will take take of escaping all values for you.

Cheers
Ken


"Don Grover" <spamfree@assoft.com.au> wrote in message
news:e%23OnO8dJEHA.952@TK2MSFTNGP12.phx.gbl...
: Hi
: I have some blind users who use voice translation software to enter data
: into an MSQL 2000 db using ASP (Web)
: Occasionally I get ' or other puctuation characters that fail the inserts
or
: updates.
:
: I handle these using the replace function but some still get through !!!
:
: Is there a list of escape characters I should handle differently and can
: someone offer (help) with a asp function that covers most if not all those
: pesky charcaters.
:
: Regards
: Don Grover
:
: ps. Its hard getting them to read error screens, i'd rather cover better
: initially.
:
:

[Don Grover]

Hi Ken
170 Forms and many fields of various types,.
I have filtered most with Javascript at client and Vbscript at Server side,
its too bigger job to modify for so many forms and user input fields.
So thats why I was asking the question i did, so im still looking for a
definitive resource.

Don

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OxYA5QfJEHA.3380@TK2MSFTNGP09.phx.gbl...

> Hi
>
> Two things:
> a) you should not try to look for malicious characters - you should filter
> by using known *good* characters. Everything else should be stripped,
> replaced, or an error generated
>
> b) If you use the ADO Command Object, and append Parameter objects, then

ADO

> will take take of escaping all values for you.
>
> Cheers
> Ken
>
>
> "Don Grover" <spamfree@assoft.com.au> wrote in message
> news:e%23OnO8dJEHA.952@TK2MSFTNGP12.phx.gbl...
> : Hi
> : I have some blind users who use voice translation software to enter data
> : into an MSQL 2000 db using ASP (Web)
> : Occasionally I get ' or other puctuation characters that fail the

inserts

> or
> : updates.
> :
> : I handle these using the replace function but some still get through !!!
> :
> : Is there a list of escape characters I should handle differently and can
> : someone offer (help) with a asp function that covers most if not all

those

> : pesky charcaters.
> :
> : Regards
> : Don Grover
> :
> : ps. Its hard getting them to read error screens, i'd rather cover better
> : initially.
> :
> :
>
>

[Ken Schaefer]

What do you mean "definitive" resource?

The definitive way of securing your app is:
a) filter on Known Good Input - there are waaaay to many other possible
characters. Consider how many languages there are, and how many different
character sets there are (to support those languages), and thus how many
different types of ' there are. Are you going to filter for them all? That's
insane. :-)

b) use Command objects, and Parameter objects. If you have lots of data
access code scattered all over the place, then it's time to refactor your
code. You should attempt to centralise as much of this as possible, eg in
some kind of data access layer. That would make it easier to switch

c) if you want a decent methodology for developing your pages that doesn't
involve classes, and DALs an so forth, try my website:
[url]www.adopenstatic.com/resources/code/UIValidation.asp[/url]

That said, I think you're going to have to refactor your application sooner
or later. Better sooner before you end up with an even bigger problem that
you can't "code around"

Cheers
Ken


"Don Grover" <spamfree@assoft.com.au> wrote in message
news:eipV2ChJEHA.3688@TK2MSFTNGP10.phx.gbl...
: Hi Ken
: 170 Forms and many fields of various types,.
: I have filtered most with Javascript at client and Vbscript at Server
side,
: its too bigger job to modify for so many forms and user input fields.
: So thats why I was asking the question i did, so im still looking for a
: definitive resource.
:
: Don
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OxYA5QfJEHA.3380@TK2MSFTNGP09.phx.gbl...
: > Hi
: >
: > Two things:
: > a) you should not try to look for malicious characters - you should
filter
: > by using known *good* characters. Everything else should be stripped,
: > replaced, or an error generated
: >
: > b) If you use the ADO Command Object, and append Parameter objects, then
: ADO
: > will take take of escaping all values for you.
: >
: > Cheers
: > Ken
: >
: >
: > "Don Grover" <spamfree@assoft.com.au> wrote in message
: > news:e%23OnO8dJEHA.952@TK2MSFTNGP12.phx.gbl...
: > : Hi
: > : I have some blind users who use voice translation software to enter
data
: > : into an MSQL 2000 db using ASP (Web)
: > : Occasionally I get ' or other puctuation characters that fail the
: inserts
: > or
: > : updates.
: > :
: > : I handle these using the replace function but some still get through
!!!
: > :
: > : Is there a list of escape characters I should handle differently and
can
: > : someone offer (help) with a asp function that covers most if not all
: those
: > : pesky charcaters.
: > :
: > : Regards
: > : Don Grover
: > :
: > : ps. Its hard getting them to read error screens, i'd rather cover
better
: > : initially.
: > :
: > :
: >
: >
:
: