Problem with insert into statement

[markdt]

Hi people,

Got an issue inserting an SQL statement into access db.
It builds the sql like:

INSERT INTO tblConcern ("comments") VALUES ("something here with a apostrophe ' blah blah")

Basically the problem arrises when someone enters an
apostrophe. My code is below:

comments=Request.Form("txtcomments")
if comments="" then
comments=NULL
else
strSQL=strSQL & "comments,"
end if

My question is do i have to put brackets or something round the variable "comments"?

Thanks

Mark

 

[Sheco]

you could replace it with a similar char like: [red]`[/red]

or you could escape the single quote with another one

 

[Sheco]

so something like: replace(comments,"'", "`")
or this: replace(comments,"'", "''")

Another reason this is a good idea is what happens if someone entered comments like this:

'); DROP TABLE Clients; Go;