problem with my program

[LostProgrammer]

Hello everyone, thanks for the help on my last problem.

 

My problem is this. When I pass my variables to the sql server, one of the strings has a chunk of text and if the user puts a ' in the string it makes my program crash. So lets say the user enters for my string variable reason = "Didn't make it on time" the ' in didn't would crash my program. Here is my code.

 

commsql.CommandText = "INSERT INTO TIMELOG ([uSERNAME],[LOGTIME],[REASON]) VALUES ('" + username + "','" + loginTime + "','" + reason + "')"

 

Anyone have any ideas on that one?

 

Thanks much

 

LostProgrammer

[Robby]

Replace all single quotes with 2 single quotes.

commsql.CommandText = "INSERT INTO TIMELOG ([uSERNAME],[LOGTIME],[REASON]) VALUES ('" & username.Replace("'","''") & "','" & loginTime & "','" & reason & "')"

[Nerseus]

Another reason to use Stored Procs when possible - you don't have to worry about this (unless you're passing your parameters through a full-string, such as "exec procA 'param1', 123, 'param3'".

 

Want to see something fun? Try this, set your variable reason to:

"my reason') DROP TABLE TIMELOG --"

If you look at the string you'll be building, you'll get:

INTO TIMELOG ([uSERNAME],[LOGTIME],[REASON]) VALUES ('dan', '1:52PM', 'my reason') DROP TABLE TIMELOG -- )

 

This is NOT something you want a malicious user to be able to do. Watch your single quotes - could be more than just a syntax error :)

 

-nerseuse

[LostProgrammer]

Wooo that code worked!

 

Thanks very much, that takes care of that problem!

 

Thanks

 

LP