Prevent special characters

T

tmyers

Well-known member
Local time
Today, 01:34
Joined
Sep 8, 2020
Messages
1,091
Is there a way to (easily) prevent certain characters from being entered into fields? I know inputting certain characters can cause queries to break (I believe the technical term is SQL injection). The two I am most concerned about the users off hand entering are & and an apostrophe. Some of them just use ampersand in their normal typing, where as others would use an apostrophe to designate footage. I believe the way I designed it, the fields those may be entered in wouldn't cause a problem but better safe then sorry.
 
Hi. Actually, special characters should be fine as data. They're not fine in object names.
 
theDBguy said:
Hi. Actually, special characters should be fine as data. They're not fine in object names.
Click to expand...
Ok. I was probably reading a little far into it. I am not super worried about it but a friend had mentioned it that allowing people to enter something like 200' in an input field could cause things to break.
 
tmyers said:
Ok. I was probably reading a little far into it. I am not super worried about it but a friend had mentioned it that allowing people to enter something like 200' in an input field could cause things to break.
Click to expand...
An input field or a parameter prompt is something else. That's how you could get SQL injections. There are ways to avoid that. One way, of course, is to not use parameter prompts. Instead, use input forms, so you validate and sanitize the input.
 
I had a similar problem in that when you create spreadsheet tab names with VBA you need to remove some special characters.

Minty provided me with some excellent code:- "fStripIllegal" You can find a link to it on my website here:-

www.niftyaccess.com

Make Excel Sheets From Access Table - Nifty Access

Excel Sheets From Access Table If you've ever faced the challenge of exporting data from Microsoft Access into Excel, you’re not alone! One of the most common requests is to organize data by categories, like exporting car makes into separate Excel sheets or even separate Excel files. I’ve...
www.niftyaccess.com www.niftyaccess.com

Along with an explanation of how it was used....
 
Last edited:
I see. I take a look at that Gizmo.
The only place this could happen is in typical data entry when the user is recording counts for things. Sometimes a type is in linear foot, so a person of habit could put that apostrophe in causing interesting results later when things are being totaled and such. The fields themselves are not part of queries, just data entry going into the tables.
 
tmyers said:
I see. I take a look at that Gizmo.
The only place this could happen is in typical data entry when the user is recording counts for things. Sometimes a type is in linear foot, so a person of habit could put that apostrophe in causing interesting results later when things are being totaled and such. The fields themselves are not part of queries, just data entry going into the tables.
Click to expand...
Linear foot should be allowed to contain the apostrophe; although, it's your prerogative if you to take them out. Handling them in your code or queries should be your (the developer) responsibility.

It's the same situation with other fields like last names. You wouldn't want some database to improperly store it if your last names was O'Donnell, right?
 
In general, the technique to validate any data you can build a common function
Code: 
Public Function ValidateData as boolean
  dim ctrl as access.control
  set ctrl = activecontrol
'add code here to validate data if valid set as True
ValidateData = True
end function

Select all the controls to validate and put this in the before update event

if not ValidateData then cancel = true
'other code
 
theDBguy said:
Linear foot should be allowed to contain the apostrophe; although, it's your prerogative if you to take them out. Handling them in your code or queries should be your (the developer) responsibility.

It's the same situation with other fields like last names. You wouldn't want some database to improperly store it if your last names was O'Donnell, right?
Click to expand...
Fair enough.
 
@tmyers
So this is an important decision point. You can say to yourself:
- I need to prevent apostrophes from going into the data set, else I may have trouble when building a dynamic SQL string later and an apostrophe shows up
or
- I can't prevent my users from entering legit apostrophes, such as the name Jack O'Malley, so I'll handle that when I build my dynamic SQL string.

Over the years, 90% of the time I make this decision I end up deciding I better let the users enter the true data, and handle it later. But it is up to you - just a word of warning.

To handle it at query-building time, you need to learn a method called "escaping". It's where you tell the db engine "this is legit, it's not a syntax symbol". In SQL, you do that by doubling-up. You replace ' with two of them - ''

So you code:
strSQL = strSQL & " where lastname='" & replace(me.txtLastName,"'","''") & "'"

...I replaced ' with two of them, ''

It's more to remember, but, possibly, more faithful to your users' expectations
 
You must log in or register to reply here.

Similar threads

The_Doc_Man
Important Security Guidelines
2
Replies
24
Views
669
The_Doc_Man
The_Doc_Man
P
Solved Simple Filter Not Finding Records
Replies
3
Views
168
theDBguy
theDBguy
Rich77
Exclude a character (Apostrophe) in an input field of a form
Replies
5
Views
893
Pat Hartman
P
Rich77
Solved Exclude a character (Apostrophe) in an input field of a form
Replies
6
Views
616
Rich77
Rich77
D
Linked SharePoint list. Is it possible to grant users contribute permissions on the SP site, but password protect the SP list URL itself from users?
Replies
6
Views
355
GPGeorge
GPGeorge

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom