space cowboy
04-11-2007, 10:41 AM
Im looking for some help... I have a simple form on my site that uploads some text to a database (access).
here is the form....
<form name="frmInsert" method="post" action="insertProcess.asp">
<input type="hidden" name="insrow" value="1">
<p>Subject<br/><input type="text" name="newsMonth1" size="30"></p>
<p> </p>
<p>News Body<br/>
<textarea name="newsItem1" cols="35" rows="8" id="Address"></textarea></p>
<p> </p>
<input type="submit" value="Submit">
</form>
and here is the part that uploads....
<%
Dim Conn
Dim SQLTemp
If request("insrow") = "1" THEN
newsItem2 = request("newsItem1")
newsMonth2 = request("newsMonth1")
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.connectionstring = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" _
& Server.Mappath("../one.mdb") & ";"
Conn.Open
SQLTemp = "INSERT INTO bevRacesNews (newsItem, newsMonth) VALUES ('" & newsItem2 & "','" & newsMonth2 & "')"
Conn.execute(SQLTemp)
Conn.Close
Set Conn = Nothing
response.write("<p>new news item inserted!</p><p> </p><p><a href=""admin.asp"" class=""Green"">back to admin options</a></p>")
End If
%>
But if within this form I insert certain characters, mainly ''''''
it doesnt upload. I know I need to escape these, but how?
cheers
here is the form....
<form name="frmInsert" method="post" action="insertProcess.asp">
<input type="hidden" name="insrow" value="1">
<p>Subject<br/><input type="text" name="newsMonth1" size="30"></p>
<p> </p>
<p>News Body<br/>
<textarea name="newsItem1" cols="35" rows="8" id="Address"></textarea></p>
<p> </p>
<input type="submit" value="Submit">
</form>
and here is the part that uploads....
<%
Dim Conn
Dim SQLTemp
If request("insrow") = "1" THEN
newsItem2 = request("newsItem1")
newsMonth2 = request("newsMonth1")
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.connectionstring = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" _
& Server.Mappath("../one.mdb") & ";"
Conn.Open
SQLTemp = "INSERT INTO bevRacesNews (newsItem, newsMonth) VALUES ('" & newsItem2 & "','" & newsMonth2 & "')"
Conn.execute(SQLTemp)
Conn.Close
Set Conn = Nothing
response.write("<p>new news item inserted!</p><p> </p><p><a href=""admin.asp"" class=""Green"">back to admin options</a></p>")
End If
%>
But if within this form I insert certain characters, mainly ''''''
it doesnt upload. I know I need to escape these, but how?
cheers