Re: Slightly OT: VBScript / ASP question

Mike Middleton ( (no email) )
Wed, 13 May 1998 09:58:20 -0500

Greg, consider:

There are names like O'Conner... or fields that could take possessive words
like Mothers' Helpers.

I couldn't use field = replace(request("field"),"'","''") on the forms on
many of the sites I have designed and must 'loop through' (parse) the input
data more intelligently.

This is a normal part of designing and programming input forms for public
consumption. All the suggestions here have been good ones, each useful in
different situations. This isn't a bug IMHO... but it is the best arguement
for using <option> pick lists on forms that are going to generate SQL


>I am leaning towards sending this to bugtraq as the prevailing opinion
>seems to be that checking this data is an inconsequential feature, and
>the security implications seem to have escaped most programmers. The
>principle is a really basic one, ALL data received from untrusted
>users MUST be checked completely before use in trusted contexts like
>SQL queries.