Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to handle data with apostrope in name like O'Neil in a SQL string

Status
Not open for further replies.
leo57

leo57

Programmer
Oct 28, 2013
33
0
0
US
I tried adding a chr(34) but SQL does not like it.

Code: 
" Report1 = " chr(34) & Me.txtReport1.Text & chr(34) & ", " & _

'here is my original SQL string
SQLUpdateString = "Update Recognition Set CommonName = '" & Me.txtEmployeeName.Text & "', " & _
                        " EmployeeEPriseID = '" & Me.txtEmployeeEPriseID.Text & "', " & _
                        " Location = '" & Me.txtLocation.Text & "', " & _
                        " VPName = '" & Me.txtVPName.Text & "', " & _
                        " Nominator = '" & Me.txtNominator.Text & "', " & _
                        " Reporttomanager = '" & Me.txtReportToManager.Text & "', " & _
                        " Report1 = '" & Me.txtReport1.Text & "', " & _
                        " Report2 = '" & Me.txtReport2.Text & "', " & _
                        " Report3 = '" & Me.txtReport3.Text & "', " & _
                        " AwardType = '" & Me.ddlAwardTypes.Text & "', " & _
                        " [Event] = '" & Me.txtEvent.Text & "', " & _
                        " Awarded = '" & Me.ddlAwardedYN.Text & "', " & _
                        " DateAwarded = '" & Me.txtDateAwarded.Text & "', " & _
                        " NominationSummary = '" & Me.txtNominationSummary.Text & "', " & _
                        " ePrizeID = '" & Me.txtUserEPriseID.Text & "' " & _
                       "Where UniqueID = " & Session("EditSQLRecordID") & ""

 
Sort by date Sort by votes
Escape it by using two single quotes, as in

Code: 
"It''s the the dog''s ........"

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Upvote 0 Downvote
I ended up doing this.
Code: 
Dim Location As String = Replace(Me.txtLocation.Text, "'", "''")

 
Upvote 0 Downvote
A stored procedure and parameters is safer... and prevents SQL injection.

The code that you're using currently is very susceptible to injection.

... something as simple as typing this:
'; TRUNCATE TABLE Recognition;

... into your txtEmployeeName field.

It's worse if you use a select statement....
Say, for example you had this:

SELECT * FROM Users WHERE UserID='" & txtUserID & "'"

... now, type into the txtUserID...
' OR '1'='1

... now your select statement just became:

SELECT * FROM Users WHERE UserID='' OR '1'='1'

... I just got your entire users table.

This is the lesson learned, and why it should be converted over to stored procedures with parameters.





Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AhmedAzizBarbary
  • Locked
  • Question
How to read data response body after success login razor page ?
Replies
0
Views
154
AhmedAzizBarbary
AhmedAzizBarbary
AhmedAzizBarbary
  • Locked
  • Question
How to pass list of checkboxes not checked on page model razor page?
Replies
0
Views
151
AhmedAzizBarbary
AhmedAzizBarbary
weberm
  • Locked
  • Question
How do I make a page with multiple AJAX custom controls?
Replies
2
Views
146
weberm
weberm
a6green
  • Locked
  • Question
How to configure AT&T / Avaya Definity G3 incoming ISDN trunk
Replies
2
Views
166
a6green
a6green
G12Consult
  • Locked
  • Question
Help with Json
Replies
2
Views
144
gmmastros
gmmastros

Part and Inventory Search

Sponsor

Back
Top