Submit Your Article Webforumz RegistrationAnnouncements Contact Webforumz StaffContact
Home Resources Blogs Meet the Team Contact Register
 

Go Back   WebForumz.com > The Code > Classic ASP
Reload this Page using apostrophe in sql statement
Register All Albums Blogs FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack (1) Thread Tools
Old October 5th, 2006, 09:44 AM   1 links from elsewhere to this Post. Click to view. #1
New Member
 

Join Date: Dec 2005
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Altering Power: 0 djanim8 is on a distinguished road
using apostrophe in sql statement
I'm having an error with my ASP page when a person puts an apostrphe into a field to be entered into a sql database.. here is a test on the sql statement:

SELECT * FROM tblRequests WHERE firstname="Test" AND lastname="Test'O" AND checktype="Bankruptcy" AND dateEntered="10/5/2006"

here is the code that puts it together:

Code:
  newSQL="SELECT * FROM tblRequests WHERE firstname=" & Chr(34) & MBRequest("txtFirst") & Chr(34) & ""
  newSQL=newSQL & " AND lastname=" & Chr(34) & MBRequest("txtLast") & Chr(34) & ""
  newSQL=newSQL & " AND checktype=" & Chr(34) & Session("CheckType") & Chr(34) & ""
  newSQL=newSQL & " AND dateEntered=" & Chr(34) & FormatDateTime(now(),2) & Chr(34) & ""
The error I get is this:

Microsoft OLE DB Provider for ODBC Drivers error '80040e21'
ODBC driver does not support the requested properties.
/secur-it/background/submitorder.asp, line 125


can anyone help me out with this?
djanim8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Old October 10th, 2006, 09:09 AM   #2
New Member
 

Join Date: Sep 2003
Location: Dubai, United Arab Emirates
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Altering Power: 0 GillBates is on a distinguished road
Re: using apostrophe in sql statement
you need to escape all single quotes with another single quote as bar minimum

So

Denis O'Reilly

becomes

Denis O''Reilly

(with two single quotes instead of one single quote).

Use a function that does a replace... e.g.

Function SQLSafe(strText)
SQLSafe = Replace(strText, "'", "''")
End Function

Then you can put SQLsafe(xxx) around whatever values you link into your SQL query

Failing to sanitize scripts like this is more dangerous than you think. Google for SQL injection and prepare to cr4p your pants.
GillBates is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply

Bookmarks

Tags
sql statements

« Very Ugly SQL statement. Help Needed. | split a string into an array »

LinkBacks (?)
LinkBack to this Thread: http://webforumz.com/classic-asp/9307-using-apostrophe-in-sql-statement.htm
Posted By For Type Date
Web Design Forums - Web design and development help and discussion This thread Refback October 7th, 2006 05:18 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP If Statement... mcdanielnc89 PHP 16 December 9th, 2007 01:44 PM
How to include font name that has apostrophe Lchad PHP 3 September 17th, 2007 12:30 PM
apostrophe becomes ’ aaronh HTML, XHTML and CSS 12 July 30th, 2007 09:38 AM
Apostrophe in Text Output RobinDeanDotCom PHP 2 October 4th, 2006 08:48 AM
Apostrophe... Lizard- Classic ASP 2 August 13th, 2004 09:11 AM

WebForumz.com is an iEntry Network® publication - 1998-2009 All Rights Reserved Privacy Policy and Legal
Contact Us - Web Design and Web Development forums for Beginners to Advanced - Archive - Top

Search Engine Optimization by vBSEO 3.2.0 RC8