Escaping apostrophe/single quote in parameterized sql in asp - asp.net

I'm new to parametrized SQL. I've got a query in an .asp page that's getting one or more client names from a form. These are held in an array called clientArr and then passed through to SQL server as parameters. I'm escaping the ' as '' but this doesn't appear to be working. If I run the query with a client name like McDonald's, it returns no results.
clientArr(y) = Replace(clientArr(y),"'","''"
...
if qsClient > "" Then
dim booComma
booComma = false
if mySQLwhere > "" Then
mySQLwhere = mySQLwhere& " AND "
End if
mySQLwhere = mySQLwhere & " (p.client IN ( "
for y = 0 to Ubound(clientArr)
if booComma = true Then
mySQLwhere = mySQLwhere & ","
end if
mySQLwhere = mySQLwhere & "?"
booComma = true
Next
mySQLwhere = mySQLwhere & ")) "
end if
...
if qsClient > "" Then
for y = 0 to Ubound(clientArr)
Response.write clientArr(y)
set prm = cmd.CreateParameter("#prm", 129, 1, 50, clientArr(y))
cmd.Parameters.Append prm
next
end if
If I run the query directly or create it by concatenating strings rather then use parameters, it works fine. It also works fine is I use a client name without an apostrophe.
Any help would be much appreciated. Happy to provide more info if I can.
Thanks,
Tim

After working on this for far too long, it just hit me. Passing the parameter straight through like this means that I don't need to escape it at all. If I remove that replace statement, it works just fine keeping the single quote. I was definitely over-thinking this.

Related

Callback URL is ignoring parameter value after &

I got stuck at this point. After login i am getting referral-url which i am putting into www.url.com?par1=val&callback="referral-url". My referral url is like www.ref-url.com?param1=val1&param2=val2&param3=val3. My problem is that i am getting a cut url i.e., www.ref-url.com?param1=val1 after login. I think it is ignoring url after '&'.I am using classic asp for development. Any Help would be very helpful.
You need to use Server.URLEncode if you're including a URL as a querystring parameter, especially if the included URL also contains querystrings.
Dim login_redirect, login_referrer
login_redirect = "http://www.url.com/?par1=val&callback="
login_referrer = "http://www.ref-url.com/?param1=val1&param2=val2&param3=val3"
response.write login_redirect & Server.URLEncode(login_referrer)
Output:
http://www.url.com/?par1=val&callback=http%3A%2F%2Fwww%2Eref%2Durl%2Ecom%2F%3Fparam1%3Dval1%26param2%3Dval2%26param3%3Dval3
Passing the URL with query inside another URL query is a bit tricky. The only way it works is to encode it. For example:
https://website.com/?a=1&url=https%3A%2F%2Fwebsite.com%2F%3Fz%3D1%26y%3D2
But, when you want to return to the url you passed through query, you need to decode it otherwise it will not work. You can use the following function on your "login Page" before redirecting the url.
Function URLDecode(sConvert)
Dim aSplit
Dim sOutput
Dim I
If IsNull(sConvert) Then
URLDecode = ""
Exit Function
End If
' convert all pluses to spaces
sOutput = REPLACE(sConvert, "+", " ")
' next convert %hexdigits to the character
aSplit = Split(sOutput, "%")
If IsArray(aSplit) Then
sOutput = aSplit(0)
For I = 0 to UBound(aSplit) - 1
sOutput = sOutput & _
Chr("&H" & Left(aSplit(i + 1), 2)) &_
Right(aSplit(i + 1), Len(aSplit(i + 1)) - 2)
Next
End If
URLDecode = sOutput
End Function
For example, you should have above function and the following code on your login page:
Dim callback
callback = Request("callback")
callback = URLDecode(callback)
Response.redirect(callback)

Insert Server Date to DB ODBC Error

I'm having a little bit of trouble trying to insert the server date into a DB through the Parameters call, my code for this action is listed below:
<%
If (CStr(Request("MM_insert")) = "Modal-Menu-AddNote-Form") Then
If (Not MM_InsertEdit) Then
' execute the insert
Dim MM_InsertCmd
Set MM_InsertCmd = Server.CreateObject ("ADODB.Command")
MM_InsertCmd.ActiveConnection = MM_Logistics_STRING
MM_InsertCmd.CommandText = "INSERT INTO Notes (Note_Text, Note_Date) VALUES (?, ?)"
MM_InsertCmd.Prepared = true
MM_InsertCmd.Parameters.Append MM_InsertCmd.CreateParameter("param1", 202, 1, 255, Request.Form("Modal-Menu-Paragraph-AddNote")) ' adVarWChar
MM_InsertCmd.Parameters.Append MM_InsertCmd.CreateParameter("param2", 135, 0, -1, Date) ' adDBTimeStamp
MM_InsertCmd.Execute
MM_InsertCmd.ActiveConnection.Close
' append the query string to the redirect URL
Dim MM_InsertRedirectUrl
MM_InsertRedirectUrl = "edit.asp"
If (Request.QueryString <> "") Then
If (InStr(1, MM_InsertRedirectUrl, "?", vbTextCompare) = 0) Then
MM_InsertRedirectUrl = MM_InsertRedirectUrl & "?" & Request.QueryString
Else
MM_InsertRedirectUrl = MM_InsertRedirectUrl & "&" & Request.QueryString
End If
End If
Response.Redirect(MM_InsertRedirectUrl)
End If
End If
%>
It's important to take note of the "param2" line as this is the area that im trying to insert the date into the DB, I have also tried (0-Unknown,1-In,2-Out,3-In/Out) for the 3rd argument but I still end up getting errors like Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another, or Invalid string or buffer length. Any thoughts or ideas on how to solve this issue?
This issue ended up being resloved, ended up being an issue with my text area that was gathering the data. Closing thread, thank you all for your help and advice.

Return same result even no signal quotation mark in string using RowFilter

I understand I should put the single quotation mark between the string for RowFilter like that
dim TOS as string="04"
rowFilter.RowFilter = "(TOScode= " & "'" & TOS & "')"
I just wonder why the following code still work without single quotation mark.
rowFilter.RowFilter = "(TOScode = " & TOS & ") "
The TOScode field is varchar(2) type in SQL. English is not my native language; please excuse typing errors.
Try this
rowFilter.RowFilter = String.Format("(TOScode = '{0}')", TOS)
OR simply as
rowFilter.RowFilter = String.Format("TOScode = '{0}'", TOS)

Classic ASP: querystring handler

I've done this a long time ago, now I can't find the function. It shouldn't be too complicated, but I wonder if there's any news on this before I go and do it again...
Take this:
www.example.com?query=whatever&page=1
Now imagine I press button to page 2, it will become:
www.example.com?query=whatever&page=2
Always keeping the rest of the querystring intact. Now picture on page 2 I press the button to order by date, it should turn into:
www.example.com?query=whatever&page=1&order=date
Problem is, on the ASP code for ordering, I don't want to handle every other querystring. So I need a function to handle it for me and be able to do something like the following examples:
date
next page
all pages
This is just an initial idea of what I am going to do if I still can't find a ready solution... Again, just wondering if there's anything new out there to handle all this in ways I haven't even imagined yet.
If it's of anyone's interest, here's the quite confusing code I rolled on yesterday:
'Build a string QueryString from the array Request
function bdl_qs (req_qs)
dim result, qa, item
result = empty
qa = "?"
if isnull(req_qs) or isempty(req_qs) then req_qs = Request.QueryString
for each item in req_qs
result = result & qa & item
result = result & "=" & req_qs(item)
qa = "&"
next
bdl_qs = result
end function
'Build a string QueryString ontop of the supplied one, adding the query and / or value(s) to it
function add_qs (qs, q, s)
dim result
result = qs
if left(result, 1) = "?" then
result = result & "&" & q
else
result = "?" & q
end if
if not isnull(s) and not isempty(s) then
result = result & "=" & s
end if
add_qs = result
end function
'Build a string QueryString ontop of the supplied one, removing the selected query and / or values
function del_qs (qs, q)
dim result, item
result = qs
if left(qs, 1) = "?" then
dim rqs, qa
rqs = result
result = "?"
rqs = right(rqs, len(rqs)-1) 'remove the "?"
rqs = Split(rqs, "&") 'separate the queries
qa = ""
for each item in rqs
dim rq
rq = Split(item, "=") 'separate the query to analyze the name only
if rq(0) <> q then 'good for rebuilding
result = result & qa & item
qa = "&"
end if
next
end if
del_qs = result
end function
'Build a string QueryString ontop of the supplied one, setting the query to the value
function set_qs (qs, q, s)
set_qs = add_qs(del_qs(qs, q), q, s)
end function

VB Script split issue

I use the split function of in VBScript to split the string. Below is the code am using.
Dim inputText
DIM resultArray
inputText = "abc; def; ""xyz;123"""
resultArray = Split(inputText, "; ")
For i = 0 To UBound(resultArray)
resultArray(i) = Replace(resultArray(i), """", "")
resultArray(i) = Replace(resultArray(i), ";", "")
IF i = UBound(resultArray) THEN
Response.Write resultArray(i)
ELSE
Response.Write resultArray(i) & "; "
END IF
Next
If i remove the space after ; in split function it will also split "xyz:123" which i don't want to be.
Either i gave space after ; in split function (Line # 4) or not it shouldn't split the "xyz:123" which comes in double quotes.
Any suggestion how i can achieve this ?
Thanks in advance.
That suspiciously looks like a csv-file. You could try using ADO for this. Microsoft has a fairly extensive (and very useful) article on this: http://msdn.microsoft.com/en-us/library/ms974559.aspx
Since they describe exactly your problem, I think that just might be your solution. :)

Resources