using single qoutes with sql

sql , insert , single quotes , select Saint-Denis, France
  • 9 years ago
    Hi, I have a problem with my sql code in vb6. Am using an insert into() and select statement to work with an ms access database. the problem is that if somebody enters a name with a single quote, the the application causes an error and the program terminates. Have tried to use the vb6 replace function but seems not to work. my code is like: select * from master_tbl where ITEM_NAME='" & replace(txtItemName.text,"'","''") & "'. ANY HELP WILL BE HIGHLY APPRECIATED. Thanx in advance.
  • 9 years ago
    Hi, The problem you are facing i think is due to using inline sql rather than a parameterised query. The method you have there opens you up to an SQL injection attack. Switch to a parameterised query, and the qoutes won't be a problem. Si

Post a reply

Enter your message below

Sign in or Join us (it's free).


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“An expert is a man who has made all the mistakes that can be made in a very narrow field” - Niels Bohr