Hello all!

I need to fill a database using microsoft access and sql in an asp page.

I need to check that the input is not exsit yet, so I use the following to create sql sentence:
tempsql = select * from table where filed= '"
tempsql = tempsql & request.form("name")
tempsql = tempsql & "'"

My problem is that I have to allow the input to include the sign ' ... it doesnt agree to acept it because of the field =' '...

In which other form can I get that input?

12 Years
Discussion Span
Last Post by Lafinboy

You will need to use a simple, yet essential, replace statement on your inputs to allow the use of quotes. This allows the users to input values such as O'Hare legitimately, and also prevents the simplest form of SQL Injection attack by the use of a ' to break the code. A simple function to replace quotes would be like:

function cleanString( string )
'// replace single quotes
strTemp = replace(string, "'", "''")
'// replace quotes
strTemp = replace(strTemp, """", """""")
cleanString = strTemp
end function
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.