Microsoft KB Archive/158729

= Characters Converted by Httpodbc.dll =

Article ID: 158729

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 2.0

-



This article was previously published under Q158729



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
Certain characters are converted when you pass them into the Internet Database Connector (IDC) mechanism (Httpodbc.dll).



MORE INFORMATION
The Internet Database Connector makes the following conversions on characters when it passes from an HTML form into the IDC file.

The following can cause a problem when you try to pass portions of a Microsoft SQL Server statement into an IDC file. It is not recommended to pass entire portions of a SQL statement in via parameters. Due to malicious users potentially being able to specify rogue SQL parameters alter intended application usage.


 * Double all single quotes to prevent SQL quoting problem.
 * Remove escaped '\n's.
 * Replace all '&' parameter delimiters with real '\n'.

Keywords: KB158729

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.