Printable View
With respect to SQL strings:
Why is it not suffitient enough to replace an apostrophe ' with a quotation mark " ? Where ever I read about this, it is said that one apostrophe has to replaced with two. I understand all about string beginings and endings, but if one apostrophe is replaced by a quotation mark, whay can it be abused?
Thanks so much. :)
It can't, but you're altering data then...
Let's say you look at my previous sentence using your suggestion:
and then as I wrote it:Code:It can"t, but you"re altering data then...
SQL standards dictate that two apostrophes inside a quoted string are to be treated as a single apostrophe, as a way of letting people use english conjunctions (among other things) in their database records.Code:It can't, but you're altering data then...
It's not less secure, but it creates inaccurate data.
It's worth noting that on Microsoft Access, there are characters other than quotes which must be escaped before you have a secure application.
I don't claim to know them all, but the pipe character (|) is definitely one of them. I don't know the correct procedure to escape it.
I do know that there are a lot of exploits for this, including ones which under some circumstances lead to a remote compromise of either LocalSystem or IWAM_MACHINENAME. I have successfully exploited it in a test environment.
If you want a secure application, do not use Microsoft Access as a web database.
Cheers
Slarty
Slarty, I've heard what you're talking about, and I believe you escape it the same way you escape a single quote -- that is double up on them. So you just need to replace all instances of | with || and it should be ok.