Commas in a SQL statements

[TheMaskedPencil]

I need to know if it is possible to add a comma into a database field, that is from a string variable. Here is an example.

strString = "Here, there and everywhere."

"INSERT INTO table ([Field]) VALUES ('" & strString & "')"

Every time I run, I get an error message, the comma acts as a seperator, like when you are inserting multiple values. Is there anyway to fix it, or will I have to reformat the string and replace the comma with a different character, before I can save it to the database(Access 2000)

Please tell me there is a simple anwser.

 

[SqueakinSweep]

Rather than building your insert statement dynamically, you need to look into using SQL Parameters.

Sweep
...if it works dont f*** with it

 

[TheMaskedPencil]

SQL Parameters? Where can I get information on that? I have been looking on Google and there hasn't been really a good explanation of it.

 

[dvannoy]

in VB6 i use the following

'" & Replace(Textbox.Text, "'", "''"

 

[chrissie1]

thread796-1104577

see last post

dvannoy this is the vb.net forum, allthough what you say will work even in .net.

Christiaan Baes
Belgium

I just like this --> [Wiggle] [Wiggle]

 

[dvannoy]

chrissie1,

thank you for pointing that out..I am aware of which forum I am in. But again, thank you for pointing that out.

 

[ThatRickGuy]

dvannoy, don't provoke him, he bites. And it's only a matter of time until the freaky distracting sig wears off and he realises he's hungry.

But there is an excellent example of using parameters about 2/3s the way down in thread796-1104577 as Chrissie mentioned.

-Rick

VB.Net Forum forum796 forum855 ASP.NET Forum
I believe in killer coding ninja monkeys.

 

[dvannoy]

your right..it's just been one of those days..

 

[ThatRickGuy]

Look on the bright side, you probrably don't have a mid term in a class on social issues in technology tonight

-Rick

VB.Net Forum forum796 forum855 ASP.NET Forum
I believe in killer coding ninja monkeys.

 

[chiph]

There are many benefits to using parameterized SQL besides not having to mess around with single-quotes.

For example, your queries will run faster, because the database engine (assuming you're not using Access) will be able to store them in it's procedure cache for later use.

You'll also be protected against the SQLInjection attack, whereupon an attacker is able to execute arbitrary SQL against your database, and possibly run operating system commands.

Here's a good article & debate on the subject, plus you'll want to do a google for yourself.

http://www.theserverside.net/news/thread.tss?thread_id=31953#158113

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first