When I have a ' in my database I have an error...?! 2

[RSX02]

Hi
I have a textbox where my user can make a search by the first_name. When the user click on the search button, it display the result in a datagrid.

My problem is when the user enter a first name with a ' in it. It cause me this error: the 'dd' text is the text after the '

An unhandled exception of type 'System.Data.SyntaxErrorException' occurred in system.data.dll

Additional information: Syntax error: Missing operand after 'dd' operator.

Here is the code that cause me this error:

dv.RowFilter() = "First_Name = '" + Me.TextBox16.Text + "'"

Does anybody know a clean way to solve this problem?

Thanks in advance
Rsx02

 

[RiverGuy]

Yeah, replace each single quote with two single quotes when you save. Look at the replace function.

 

[Paszt]

Rsx02,

As a simple solution, replace the single quote with two single quotes:

dv.RowFilter() = "First_Name = '" & Me.TextBox16.Text.replace("'","''") & "'"

It is important that you know about SQL injection. Here is one of the many articles on the net:

http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/

-Stephen Paszt

 

[chiph]

Doubling-up the single quotes (and double-quotes) will leave you open to a hacker attack known as SQL Injection. Do a Google search, or see the FAQ in the VB Databases forum for the consequences of using their technique.

You should always use ADO.NET Parameter objects to pass values into any kind of SQL query (even a SELECT query). Doing so gives you two main benefits: Protection against SQL Injection, and higher performance because the database will be able to cache your query for next time you use it.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first