Ask a Question related to ASP Components, Design and Development.
-
webfox #1
Problem with %
Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
webfox Guest
-
contribute problem - access denied file may not existpermission problem
Recieving the following error message - "access denied file may not exist , or there could be a permission problem" this happened this morning ,... -
Problem playing Quicktime thru .DCR embedded in HTML - pathreferencing problem?
Greetings earthlings and Director heads. Here's the problem: created an HTML file containing shockwave (dcr) movie that calls quicktime movies in... -
Uploading problem = weird warning (was: access denied problem.....)
Hi, I had a problem where my upload form was not working on our production server but was working on two other servers, after checking the... -
#21611 [Opn]: Problem with version_compare() (Was: Problem with pear cli and release numbers)
ID: 21611 Updated by: et@php.net -Summary: Problem with pear cli and release numbers Reported By: jan at horde... -
Problem with Apache Web Server config file and PHP (please give advice on what problem may be me)
HI: Can anyone refer me to someone that can help with the problem below. I installed Apache Web Server on my laptop which has Windows XP. I... -
webfox #2 Problem with %
Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
webfox Guest
-
webfox #3 Problem with %
Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
webfox Guest
-
webfox #4 Problem with %
Hello!
I have a SELECT comand passed trhough ASP like This:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID
and when i pass it it gives me:
SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID
Why? how can i correct this?
Thanks
webfox Guest
-
Ray at #5 Re: Problem with %
I don't know what the story is with the %'s disappearing, but you should be
using ' to delimit in SQL, not ".
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
Ray at home
"webfox" <webfox@sapo.pt> wrote in message
news:e4hVL%23dkDHA.964@TK2MSFTNGP10.phx.gbl...LIKE> Hello!
> I have a SELECT comand passed trhough ASP like This:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSGLIKE> ""%Efectuar%"" ORDER BY PK_A_MSGID
>
> and when i pass it it gives me:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG> "ïectuar" ORDER BY PK_A_MSGID
>
> Why? how can i correct this?
> Thanks
>
>
Ray at Guest
-
Ray at #6 Re: Problem with %
Asked an answered in .general.
[url]www.aspfaq.com/5003[/url]
Ray at home
"webfox" <webfox@sapo.pt> wrote in message
news:uVhrC%23dkDHA.2012@TK2MSFTNGP12.phx.gbl...LIKE> Hello!
> I have a SELECT comand passed trhough ASP like This:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSGLIKE> ""%Efectuar%"" ORDER BY PK_A_MSGID
>
> and when i pass it it gives me:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG> "ïectuar" ORDER BY PK_A_MSGID
>
> Why? how can i correct this?
> Thanks
>
>
Ray at Guest
-
Ray at #7 Re: Problem with %
Asked and answered in .general.
Please see here again. [url]www.aspfaq.com/5003[/url]
Ray at home
"webfox" <webfox@sapo.pt> wrote in message
news:3f8b310a$0$5510$a729d347@news.telepac.pt...LIKE> Hello!
> I have a SELECT comand passed trhough ASP like This:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSGLIKE> ""%Efectuar%"" ORDER BY PK_A_MSGID
>
> and when i pass it it gives me:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG> "ïectuar" ORDER BY PK_A_MSGID
>
> Why? how can i correct this?
> Thanks
>
>
Ray at Guest
-
webfox #8 Re: Problem with %
if i use ' instead off " give me :
sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#fhuQKekDHA.2216@TK2MSFTNGP12.phx.gbl...be> I don't know what the story is with the %'s disappearing, but you should> using ' to delimit in SQL, not ".
>
> sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
> C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
>
> Ray at home
>
> "webfox" <webfox@sapo.pt> wrote in message
> news:e4hVL%23dkDHA.964@TK2MSFTNGP10.phx.gbl...> LIKE> > Hello!
> > I have a SELECT comand passed trhough ASP like This:
> >
> > SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG> LIKE> > ""%Efectuar%"" ORDER BY PK_A_MSGID
> >
> > and when i pass it it gives me:
> >
> > SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG>> > "ïectuar" ORDER BY PK_A_MSGID
> >
> > Why? how can i correct this?
> > Thanks
> >
> >
>
webfox Guest
-
Ray at #9 Re: Problem with %
How about posting the relevant code snippet you're using to generate this
string?
Ray at home
"webfox" <webfox@sapo.pt> wrote in message
news:u0yawbekDHA.3504@TK2MSFTNGP11.phx.gbl...> if i use ' instead off " give me :
>
> sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
> C3_MSG LIKE
>
> "Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
> news:#fhuQKekDHA.2216@TK2MSFTNGP12.phx.gbl...> be> > I don't know what the story is with the %'s disappearing, but you should> > using ' to delimit in SQL, not ".
> >
> > sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
> > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
> >
> > Ray at home
> >
> > "webfox" <webfox@sapo.pt> wrote in message
> > news:e4hVL%23dkDHA.964@TK2MSFTNGP10.phx.gbl...
Ray at Guest
-
webfox #10 Re: Problem with %
this use 3 scripts with querystring pass
"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:#EbFYeekDHA.1884@TK2MSFTNGP09.phx.gbl...should> How about posting the relevant code snippet you're using to generate this
> string?
>
> Ray at home
>
> "webfox" <webfox@sapo.pt> wrote in message
> news:u0yawbekDHA.3504@TK2MSFTNGP11.phx.gbl...> > if i use ' instead off " give me :
> >
> > sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
> > C3_MSG LIKE
> >
> > "Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
> > news:#fhuQKekDHA.2216@TK2MSFTNGP12.phx.gbl...> > > I don't know what the story is with the %'s disappearing, but youWHERE> > be> > > using ' to delimit in SQL, not ".
> > >
> > > sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS>> > > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
> > >
> > > Ray at home
> > >
> > > "webfox" <webfox@sapo.pt> wrote in message
> > > news:e4hVL%23dkDHA.964@TK2MSFTNGP10.phx.gbl...
>
webfox Guest
-
Ray at #11 Re: Problem with %
How about posting the relevant code snippet you're using to generate this
string?
Ray at home
"webfox" <webfox@sapo.pt> wrote in message
news:%231ChGjekDHA.2424@TK2MSFTNGP10.phx.gbl...this> this use 3 scripts with querystring pass
>
> "Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
> news:#EbFYeekDHA.1884@TK2MSFTNGP09.phx.gbl...> > How about posting the relevant code snippet you're using to generateWHERE> > string?
> >
> > Ray at home
> >
> > "webfox" <webfox@sapo.pt> wrote in message
> > news:u0yawbekDHA.3504@TK2MSFTNGP11.phx.gbl...> > > if i use ' instead off " give me :
> > >
> > > sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGSmessage> > > C3_MSG LIKE
> > >
> > > "Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in> should> > > news:#fhuQKekDHA.2216@TK2MSFTNGP12.phx.gbl...
> > > > I don't know what the story is with the %'s disappearing, but you> WHERE> > > be
> > > > using ' to delimit in SQL, not ".
> > > >
> > > > sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS>> >> > > > C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"
> > > >
> > > > Ray at home
> > > >
> > > > "webfox" <webfox@sapo.pt> wrote in message
> > > > news:e4hVL%23dkDHA.964@TK2MSFTNGP10.phx.gbl...
> >
>
Ray at Guest
-
Dan Brussee #12 Re: Problem with %
On Tue, 14 Oct 2003 00:17:01 +0100, "webfox" <webfox@sapo.pt> wrote:
Wouldnt the %E be converted to a character? In other words, it's>Hello!
>I have a SELECT comand passed trhough ASP like This:
>
>SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
>""%Efectuar%"" ORDER BY PK_A_MSGID
>
>and when i pass it it gives me:
>
>SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
>"ïectuar" ORDER BY PK_A_MSGID
>
>Why? how can i correct this?
>Thanks
>
translating just like %20 becomes a space. %EF if some high order
character.
Try doing an encoding on the string before passing it.
Dan Brussee Guest
-
Aaron Bertrand - MVP #13 Re: Problem with %
Pass through the form collection instead of the querystring collection.
Aside from the string formatting issues, think about what the user could do
to this URL:
[url]http://www.yourserver.com/page.asp?query=SELECT+*+FROM+table[/url]
Could easily become:
[url]http://www.yourserver.com/page.asp?query=DROP+TABLE+table[/url]
Use ' not "" for delimiting the string, and consider passing only the
dynamic portion of the query...
"webfox" <webfox@sapo.pt> wrote in message
news:e4hVL#dkDHA.964@TK2MSFTNGP10.phx.gbl...LIKE> Hello!
> I have a SELECT comand passed trhough ASP like This:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSGLIKE> ""%Efectuar%"" ORDER BY PK_A_MSGID
>
> and when i pass it it gives me:
>
> SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG> "ïectuar" ORDER BY PK_A_MSGID
>
> Why? how can i correct this?
> Thanks
>
>
Aaron Bertrand - MVP Guest
-
Dave Anderson #14 Re: Problem with %
"Aaron Bertrand - MVP" wrote:
Can someone please explain how changing to the form collection protects me>
> Pass through the form collection instead of the querystring
> collection. Aside from the string formatting issues, think
> about what the user could do to this URL:
>
> [url]http://www.yourserver.com/page.asp?query=SELECT+*+FROM+table[/url]
>
> Could easily become:
>
> [url]http://www.yourserver.com/page.asp?query=DROP+TABLE+table[/url]
from this type of malicious submission? Assuming the user is sophisticated
enough to form a damaging request, I see no reason to think he could not
tweak a form submission with as much ease as a querystring.
Consider? This should be a point of evangelism. If it's worth the time spent> Use ' not "" for delimiting the string, and consider passing
> only the dynamic portion of the query...
to develop, it's worth a few minutes more to construct a stored procedure,
the benefits of which exceed simple prevention of malicious code execution.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Dave Anderson Guest
-
Aaron Bertrand - MVP #15 Re: Problem with %
> Can someone please explain how changing to the form collection protects me
It doesn't protect you, per se, but it makes it easier to validate (since> from this type of malicious submission?
you can add referrer checks, session data, elapsed time, etc. to make sure
the form came from where you expect it to).
Aaron Bertrand - MVP Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
