using single qoutes with sql

sql , insert , single quotes , select Saint-Denis, France
  • 12 years ago
    Hi, I have a problem with my sql code in vb6. Am using an insert into() and select statement to work with an ms access database. the problem is that if somebody enters a name with a single quote, the the application causes an error and the program terminates. Have tried to use the vb6 replace function but seems not to work. my code is like: select * from master_tbl where ITEM_NAME='" & replace(txtItemName.text,"'","''") & "'. ANY HELP WILL BE HIGHLY APPRECIATED. Thanx in advance.
  • 12 years ago
    Hi, The problem you are facing i think is due to using inline sql rather than a parameterised query. The method you have there opens you up to an SQL injection attack. Switch to a parameterised query, and the qoutes won't be a problem. Si

Post a reply

Enter your message below

Sign in or Join us (it's free).


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Computer science education cannot make anybody an expert programmer any more than studying brushes and pigment can make somebody an expert painter” - Eric Raymond