Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Replace command no longer needed? 1

Status
Not open for further replies.
bigfoot

bigfoot

Programmer
May 4, 1999
1,779
US
Whenever a user used an ' in a textbox, SQL would crash. I came across a Replace command that will replace the ' with a ''.

I just tried SQL 2000 without anything and I entered "Gary's Toys" as a company name, and SQL took it without a hassle. I was using stored procedures with parameters too.

Would that make a difference??
 
Sort by date Sort by votes
Yes, there is a BIG difference between sending it as a parameter and concatenating it into a string.

The only reason they cause so much trouble is that SQL uses single quotes to delimit char data in a query. So when you build a string like:

Code: 
Dim myvar As String = "gary's toys"

strSQL = "INSERT mytable (col1) VALUES ('" & myvar & "')"

You get "INSERT mytable (col1) VALUES ('gary's toys')" as the resultant string, which obviously errors when SQL tries to execute it.

When you pass in parameters, you are actually passing the value of the string and you aren't using delimiters in the same way, so you can basically pass in anything.

I hope this makes sense, it's quite hard to explain on paper! ;-)

--James
 
Upvote 0 Downvote
Yes. It did make sense. Is this going to bite me in the butt when I go to search on the field later.

Baybe I should use the replace command.

I used to do in line queries all the time before I learned how to do parameters.
 
Upvote 0 Downvote
Is this going to bite me in the butt when I go to search on the field later.

No, because the exact same value ends up in the DB whichever method you use to insert it: "gary's toys".

Generally, it is much better to use stored procs and pass in params when accessing the DB rather than use inline SQL. You get better performance, increased security and you don't have to guard against SQL injection attacks.

--James
 
Upvote 0 Downvote
You could also use JavaScript and the Client Side OnKeyPress event to stop control characters being entered into text boxes as well. But often that's a Business decision as to whether it's reasonable to exclude entry of certain characters within 'their' application.
Just a thought...

Rhys
Thought out... Maybe,
Opinionated... Probably
But it is only an opinion!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AhmedAzizBarbary
  • Locked
  • Question
How to pass list of checkboxes not checked on page model razor page?
Replies
0
Views
852
AhmedAzizBarbary
AhmedAzizBarbary
stinkybee
  • Locked
  • Question
Replace ’ characters from string
Replies
5
Views
522
stinkybee
stinkybee
JRB-Bldr
  • Locked
  • Question
StartupScript (javascript) No Longer Working in Web Form from Master Page
Replies
2
Views
100
jbenson001
jbenson001
G12Consult
  • Locked
  • Question
Forms authentication not working
Replies
4
Views
426
Rajkumarrrrr
Rajkumarrrrr
jasonhuibers
  • Locked
  • Question
Datagrid View : No value given for one or more required parameters.
Replies
3
Views
195
jbenson001
jbenson001

Part and Inventory Search

Sponsor

Back
Top