Problem with %

[webfox]

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

 

[Ray at]

I don't know what the story is with the %'s disappearing, but you should be
using ' to delimit in SQL, not ".

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE '%Efectuar%' ORDER BY PK_A_MSGID"

Ray at home

 

[webfox]

if i use ' instead off " give me :

sSQL = "SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE
C3_MSG LIKE

 

[Ray at]

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

 

[webfox]

this use 3 scripts with querystring pass

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

 

[Ray at]

How about posting the relevant code snippet you're using to generate this
string?

Ray at home

 

[Dan Brussee]

Hello!
I have a SELECT comand passed trhough ASP like This:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
""%Efectuar%"" ORDER BY PK_A_MSGID

and when i pass it it gives me:

SELECT PK_A_MSGID, C3_MSG, C3_MSGPT, C3_MSGEN FROM S_MSGS WHERE C3_MSG LIKE
"ïectuar" ORDER BY PK_A_MSGID

Why? how can i correct this?
Thanks

Wouldnt the %E be converted to a character? In other words, it's
translating just like %20 becomes a space. %EF if some high order
character.

Try doing an encoding on the string before passing it.

 

[Aaron Bertrand - MVP]

Pass through the form collection instead of the querystring collection.
Aside from the string formatting issues, think about what the user could do
to this URL:

http://www.yourserver.com/page.asp?query=SELECT+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?query=DROP+TABLE+table

Use ' not "" for delimiting the string, and consider passing only the
dynamic portion of the query...

 

[Dave Anderson]

Pass through the form collection instead of the querystring
collection. Aside from the string formatting issues, think
about what the user could do to this URL:

http://www.yourserver.com/page.asp?query=SELECT+*+FROM+table

Could easily become:

http://www.yourserver.com/page.asp?query=DROP+TABLE+table

Can someone please explain how changing to the form collection protects me
from this type of malicious submission? Assuming the user is sophisticated
enough to form a damaging request, I see no reason to think he could not
tweak a form submission with as much ease as a querystring.

Use ' not "" for delimiting the string, and consider passing
only the dynamic portion of the query...

Consider? This should be a point of evangelism. If it's worth the time spent
to develop, it's worth a few minutes more to construct a stored procedure,
the benefits of which exceed simple prevention of malicious code execution.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[Aaron Bertrand - MVP]

Can someone please explain how changing to the form collection protects me

from this type of malicious submission?

It doesn't protect you, per se, but it makes it easier to validate (since
you can add referrer checks, session data, elapsed time, etc. to make sure
the form came from where you expect it to).