dbasql.chseck at kuehne-holz.de
dbasql.chseck at kuehne-holz.de
Mon Feb 17 02:47:18 CST 2003
Hi David, replcace every ' with '' (2 apostrophes, the first ' acts as an escape character) before sending the sql statement to SQL2000. This especially gives you some (though not enough) protection in case of sql injections ([Forms]![frmCustomers]!MName = "test ' drop table tblCustStatement -- " etc.) Christoph Seck -------- Original Message -------- Subject: [dba-SQLServer]Changing apostrophes in string (17-Feb-2003 4:21) From: davide at dalyn.co.nz To: dbaSQL.chseck at kuehne-holz.de > I tried the archives but couldn't get in . > > I have a simple sql statement to be run from and AXP ADP to SQL2000 > > DoCmd.RunSQL "UPDATE tblCustStatement SET tblCustStatement.SMName = '" & > [Forms]![frmCustomers]![MName] & "' WHERE (((tblCustStatement.CustIDNo)= > " & [Forms]![frmCustomers]![txtCustomerID] & ") AND > ((tblCustStatement.StatementNumber)= " & > [Forms]![frmCustomers]![txtInvNumber] & "));" > > How do we handle the following situation where [Forms]![frmCustomers]!MName > > includes an apostrophe? > > > Regards > > David Emerson > DALYN Software Ltd > 25b Cunliffe St, Johnsonville > Wellington, New Zealand > Ph/Fax (877) 456-1205 > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com >