I've written a function that includes the following commands:
// replace single quotes (') - for entry into SQL Server
TargString = REReplaceNoCase(TargString, "[']", chr(96), "ALL");
// Replace < with [
TargString = REReplaceNoCase(TargString, "[<]", "[", "ALL");
// Replace > with ]
TargString = REReplaceNoCase(TargString, "[>]", "]", "ALL");
I know this makes any user inputed data safe for data entry, and for
display.
The data in question would be inserted into the database, and used for
display purposes. So, we need to handle single quotes, and angle brackets
at a minimum. We decided to use chr(96) for the single quotes because we
have a number of stored procedures which dynamically generate their SQL
statements, and found quotes in the strings can cause trouble.
The angle brackets are somewhat troublesome, because we have run into
situations in which authorized users can enter a formula (these would be
people who know what they are doing). So straight conversion to the '>'
or '<' strings doesn't quite work out. Using the square brackets at
least gives the end user an idea of what is supposed to be there.
Is there a better way to go about this? Have I missed any other special
characters that can break a database or output?
Thanks for any response.
Shawn Grover
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
