Member Avatar for Plonter

Hello all!

I need to fill a database using microsoft access and sql in an asp page.

I need to check that the input is not exsit yet, so I use the following to create sql sentence:
tempsql = select * from table where filed= '"
tempsql = tempsql & request.form("name")
tempsql = tempsql & "'"

My problem is that I have to allow the input to include the sign ' ... it doesnt agree to acept it because of the field =' '...

In which other form can I get that input?
Thanks,
Plonter

  • 2 Contributors
  • 1 Reply
  • 63 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by Lafinboy
Member Avatar for Lafinboy

You will need to use a simple, yet essential, replace statement on your inputs to allow the use of quotes. This allows the users to input values such as O'Hare legitimately, and also prevents the simplest form of SQL Injection attack by the use of a ' to break the code. A simple function to replace quotes would be like:

function cleanString( string )
'// replace single quotes
strTemp = replace(string, "'", "''")
'// replace quotes
strTemp = replace(strTemp, """", """""")
cleanString = strTemp
end function
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.