Characters Converted by Httpodbc.dll (158729)


The information in this article applies to:

  • Microsoft Internet Information Server 2.0
This article was previously published under Q158729
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

Certain characters are converted when you pass them into the Internet Database Connector (IDC) mechanism (Httpodbc.dll).

MORE INFORMATION

The Internet Database Connector makes the following conversions on characters when it passes from an HTML form into the IDC file.

The following can cause a problem when you try to pass portions of a Microsoft SQL Server statement into an IDC file. It is not recommended to pass entire portions of a SQL statement in via parameters. Due to malicious users potentially being able to specify rogue SQL parameters alter intended application usage.
  • Double all single quotes to prevent SQL quoting problem.
  • Remove escaped '\n's.
  • Replace all '&' parameter delimiters with real '\n'.
Modification Type:MinorLast Reviewed:6/23/2005
Keywords:KB158729
©2004 Microsoft Corporation. All rights reserved.