First: Yes, I know, "IDC? WTF? ROTFL!!" If I wasn't working in it, I'd
laugh at me too...

Background:
We've got some legacy-tech pages running htx/idc. Up until Win2000 SP4,
they've been working. After spending way too much time on this, I've
finally isolated the problem to httpodbc.dll---specifically version
5.0.2195.6667 and 5.1.2600.1172 of the file.
The buggy version of the file comes from the "MS03-018: May 2003
Cumulative Patch for Internet Information Services (IIS)" update (KB
article 811114). A "good version" of the file (with regard to this bug)
can be found in "MS02-062: October 2002 Cumulative Patch for Internet
Information Services" (KB article 327696). The "good" version is
5.0.2195.5663.
I had to use the "Profiler" utility that comes with Sql Server 2000 to
see what was happening. At first, I tried setting "SQL_OPT_TRACE=1" in
the ODBCOptions section and watching "sql.log", but that doesn't help
since the Sql passed to SQLExecDirect doesn't have the problem (and the
trace log truncates the executed query which is another huge annoyance).

Description:
Basically, the problem is in how a variable is substituted into the
SQLStatement in the .idc file. Under the right circumstances, if the
string the variable contains has a space in it, the engine surrounds it
in quotes. Additionally, the second time the variable's contents are put
into the query, they are inserted twice---the third time, they are
duplicated 3 times. I didn't try any more repeats than that.
For example, lets say we've got a textbox we'd like to submit (<input
type=text name=txt>). And on the .idc page itself, we've got a snippet
of Sql like so:

IF '%txt%' = '' OR '%txt%' = 'None' OR '%txt%' = 'Nothing' ...

Next, run/execute the .idc file setting "txt" to "foo bar" (<input
type=text name=txt value="foo bar">). When it runs, do trace in the
Profiler app---it reports to have attempted this Sql:

IF ''foo bar'' = '' OR ''foo bar''foo bar'' = 'None' OR ''foo bar''foo
bar''foo bar'' = 'Nothing' ...

Notice that this is not good behavior on the part of the IDC engine.
Oh, and while I'm doing examples, what you would see in the sql.log is this:

IF 'foo bar' = '' OR 'foo bar' = 'None' OR 'foo bar' = 'Nothing' ...

That is the behavior that's expected.

I thought it wouldn't take much to produce a simple, example htx/idc
pair, but, of course, I was wrong; I don't have time to attempt anything
further right now; I need to get back to other maintenence work.
Hopefully it won't be too hard for someone at Microsoft to isolate and
fix it. If nothing else, one should be able to diff the source to
version 5.0.2195.6667 with 5.0.2195.5663 and use that as a starting
point (and if they don't already, they ought to use BeyondCompare---that
utility rocks!). Also, it shouldn't be hard to notice code that
surrounds a string with single-quotes before inserting it into another
string if some condition is met.

Workaround:
After applying SP4 on Win2k, I was able to simply replace the bad
version of httpodbc.dll (c:\winnt\system32\inetsrv) with the
5.0.2195.5663 version.
Remember to first replace the copy in c:\winnt\dllcache as well as the
copy in the SP4 install folder (search for the .dll to find other
copies) so the "Windows File Protection" feature doesn't revert your
changes. Also, you must stop the IIS service so it "lets go of"
httpodbc.dll.


Thanks,
Granger
PS: My email address does NOT contain any underscore characters.