using single qoutes with sql
Last post was 24 Dec 2008 at 08:01
-
Hi, I have a problem with my sql code in vb6. Am using an insert into() and select statement to work with an ms access database. the problem is that if somebody enters a name with a single quote, the the application causes an error and the program terminates. Have tried to use the vb6 replace function but seems not to work. my code is like: select * from master_tbl where ITEM_NAME='" & replace(txtItemName.text,"'","''") & "'. ANY HELP WILL BE HIGHLY APPRECIATED. Thanx in advance.
-
Hi, The problem you are facing i think is due to using inline sql rather than a parameterised query. The method you have there opens you up to an SQL injection attack. Switch to a parameterised query, and the qoutes won't be a problem. Si
Post a reply
SQL forum discussion
-
PROBLEM
by royal ludhiana (2 replies)
-
Sql Update Trigger
by ElviOliv (2 replies)
-
SQL server
by raf9 (0 replies)
-
lower and upper limit problem
by ansari.wajid (2 replies)
-
Pls help me, thank you!
by joe90 (1 replies)
Quick links
Recent activity
- arif ahmad replied to How to receive data in web ...
- William Thompson replied to What is the name of the Win...
- Sameera Piyadigamage replied to Point of Sale Developers: H...
- Scott Carline replied to 4 x C# Developers for large...
- Rajendra Dhakal replied to Restore SQL Server text dat...
- cloud rainda replied to How to convert between TS f...
Enter your message below
Sign in or Join us (it's free).