Escaping quotes and injections

fran7

New Member

Join Date: Jul 2006

Posts: 229
#1

Escaping quotes and injections

Apr 28 '15, 08:35 AM

Hi, I wonder if someone could advise on the following.
I inherited this code, I am not a coder but have had some kind of hack and am looking at code to reduce its vulnerability. At the top of the page I have

Code:

nPage = CLng(Request.QueryString("Page")) Keyword = Trim(Request.QueryString("Keyword"))

in the where clause I have

Code:

p.area LIKE '%" & Replace(Keyword, "_", " ") & "%'

I need to replace these for the query string, but do I also need to add an escape

Code:

p.area LIKE '%" & Replace(Keyword, "'", "''") & "%'

Thanks for any advice.
Richard
Tags: None
Rabbit

Recognized Expert MVP

Join Date: Jan 2007

Posts: 12517
#2

Apr 28 '15, 04:10 PM

What do you mean by escape? Replacing single quotes with double single quotes is an escape for quotes. But if you want to truly protect against injection, you should use parameters instead.
Comment

Comment