David Emerson
davide at dalyn.co.nz
Mon Feb 17 11:57:30 CST 2003
Thanks. Does anyone have the code handy to do this (I could sit down and write a function that does it but am running out of time). David At 17/02/2003, you wrote: >Hi David, > >replcace every ' with '' (2 apostrophes, the first ' acts as an escape >character) before sending >the sql statement to SQL2000. >This especially gives you some (though not enough) protection in case of >sql injections ([Forms]![frmCustomers]!MName = >"test ' drop table tblCustStatement -- " etc.) > > >Christoph Seck > > > >-------- Original Message -------- >Subject: [dba-SQLServer]Changing apostrophes in string (17-Feb-2003 4:21) >From: davide at dalyn.co.nz >To: dbaSQL.chseck at kuehne-holz.de > > > I tried the archives but couldn't get in . > > > > I have a simple sql statement to be run from and AXP ADP to SQL2000 > > > > DoCmd.RunSQL "UPDATE tblCustStatement SET tblCustStatement.SMName = '" & > > [Forms]![frmCustomers]![MName] & "' WHERE (((tblCustStatement.CustIDNo)= > > " & [Forms]![frmCustomers]![txtCustomerID] & ") AND > > ((tblCustStatement.StatementNumber)= " & > > [Forms]![frmCustomers]![txtInvNumber] & "));" > > > > How do we handle the following situation where > [Forms]![frmCustomers]!MName > > > > includes an apostrophe? > > > > > > Regards > > > > David Emerson > > DALYN Software Ltd > > 25b Cunliffe St, Johnsonville > > Wellington, New Zealand > > Ph/Fax (877) 456-1205 > > > > _______________________________________________ > > dba-SQLServer mailing list > > dba-SQLServer at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > > http://www.databaseadvisors.com > > > >_______________________________________________ >dba-SQLServer mailing list >dba-SQLServer at databaseadvisors.com >http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >http://www.databaseadvisors.com