Protecting Data in SQL Statements

This section provides a tutorial example on running the test script, insert_access.asp, persist data to MS Access database using the Execute() method to run an INSERT statement.

Respecting SQL syntax rules is easy, if you are writing SQL statements as string literals. But in ASP pages, SQL statements must be composed with variables. It is very often that special characters in the variable values will break some syntax rules. When this happens, your script will not do what it is expected to do, or users will get crash pages.

SQL statement syntax rules related to MS Access database are simple:

To help obey those rules, your ASP script should pre-process all variables used as field values. Here are some suggestions:

Last update: 2005.

Table of Contents

 About This Book

 ASP (Active Server Pages) Introduction

 IIS (Internet Information Services) 5.0

 MS Script Debugger

 VBScript Language

 ASP Built-in Run-time Objects

 ASP Session

 Creating and Managing Cookies

 Managing Sessions with and without Cookies

 scrrun.dll - Scripting Runtime DLL

 Managing Response Header Lines

 Calculation Speed and Response Time

 ADO (ActiveX Data Object) DLL

Working with MS Access Database

 Connecting ASP Pages to MS Access Databases

 "hello_access.asp" - MS Access Example

 Persisting Data to MS Access Databases

 Running "insert_access.asp"

Protecting Data in SQL Statements

 Protecting Data in SQL Statements - Test Script

 Guest Book Application Example

 References

 PDF Printing Version