Need help handling quotation marks in SQL insert

[SmileyFace]

Hey Guys. Really need your help with this one.

I am inserting data into an SQL server table from my asp page but need a function to handle the single quotation marks. I basically need to read the string being inserted into the table field and replace any single quotation marks (') with double quotes (&quot before inserting else I will get an error. PLEASE HELP me with this!! Would really appreciate if someone could help me with the script.

Thanks a lot!

 

[onpnt]

please don't double post in multi forums
thread333-649136



_____________________________________________________________________
_{Where have all my friends gone to????}

http://www.onpntwebdesigns.com

 

[PHV]

To replace all the single quotes in string TST by double quotes, just do this:

TST=Replace(TST,"'",Chr(34))

Hope This Help
PH.

 

[SmileyFace]

Hey onpnt! Thanks for all the information. I wasn't aware of the SQL Injection Attack. Will have to take that into consideration now. One more thing...I post in multiple forums to invite more responses. I didn't intend to make you respond several times. Sorry.

Hey PH! I did use the 'Replace' statement but instead of Chr(34) just used """ and it worked fine. Thanks anyways. Could you tell me why you used Chr(34)?

 

[PHV]

To make the code more readable for me, as I'm often lost with too many """

Hope This Help
PH.

 

[clarkin]

I think you should use :

TST=Replace(TST,"'","''")

which is the correct way to escape single quotes (') in SQL Server - better than changing them to double quotes. This way you can do stuff like search text columns for a single quote (comes up often in surnames, eg O'Connell).

Posting code? Wrap it with code tags: [ignore]

[/ignore][code]CodeHere

[ignore][/code][/ignore].