[dba-SQLServer]Changing apostrophes in string

David Emerson davide at dalyn.co.nz
Tue May 20 20:40:11 CDT 2003


I know it has been a long time but I finally managed to get around to 
fixing this part of my program.  I have a couple of refinements that I have 
shown below.  One is that if the apostrophe is at the end of the text then 
it would not have been picked up (needed to change the comparison to 
<=).  Second was that if there was more than 1 apostrophe then because the 
ChkText was getting longer with the extra apostrophes it might not have 
checked to the end so I deleted the lbLength variable and checked against 
the new length each loop.  Here is my amended code.

Public Function basFixSingleQuote(strChkText As String) As String

     Dim intPosition As Integer

     intPosition = InStr(1, strChkText, "'")

     Do While intPosition > 0 And intPosition <= Len(strChkText)
         strChkText = Left(strChkText, intPosition) & Mid(strChkText, 
intPosition)
         intPosition = InStr(intPosition + 2, strChkText, "'")
     Loop

     basFixSingleQuote = strChkText

End Function

Regards

David Emerson

At 17/02/2003, you wrote:
>Hi David:
>
>Here is an example that works with all versions of Access:
>
>     ....
>     With EmployeeRecord
>         .Surname = FixSingleQuote(.Surname)
>     End With
>     ....
>
>Public Function FixSingleQuote(ChkText As String) as String
>     Dim lbPosition As Integer
>     Dim lbLength As Integer
>
>     lbLength = Len(ChkText)
>     lbPosition = InStr(1, ChkText, "'")
>
>     Do While lbPosition > 0 And lbPosition < lbLength
>         ChkText = Left(ChkText, lbPosition) & Mid(ChkText, lbPosition)
>         lbPosition = InStr(lbPosition + 2, ChkText, "'")
>     Loop
>
>     FixSingleQuote = ChkText
>
>End Function
>
>HTH
>Jim
>
>-----Original Message-----
>From: dba-sqlserver-admin at databaseadvisors.com
>[mailto:dba-sqlserver-admin at databaseadvisors.com]On Behalf Of David
>Emerson
>Sent: Monday, February 17, 2003 9:58 AM
>To: dba-sqlserver at databaseadvisors.com
>Subject: Re: [dba-SQLServer]Changing apostrophes in string
>
>
>Thanks.  Does anyone have the code handy to do this (I could sit down and
>write a function that does it but am running out of time).
>
>David
>
>At 17/02/2003, you wrote:
> >Hi David,
> >
> >replcace every ' with '' (2 apostrophes, the first ' acts as an escape
> >character) before sending
> >the sql statement to SQL2000.
> >This especially gives you some (though not enough) protection in case of
> >sql injections ([Forms]![frmCustomers]!MName =
> >"test ' drop table tblCustStatement -- " etc.)
> >
> >
> >Christoph Seck
> >
> >
> >
> >-------- Original Message --------
> >Subject: [dba-SQLServer]Changing apostrophes in string (17-Feb-2003 4:21)
> >From:    davide at dalyn.co.nz
> >To:      dbaSQL.chseck at kuehne-holz.de
> >
> > > I tried the archives but couldn't get in .
> > >
> > > I have a simple sql statement to be run from and AXP ADP to SQL2000
> > >
> > > DoCmd.RunSQL "UPDATE tblCustStatement SET tblCustStatement.SMName = '" &
> > > [Forms]![frmCustomers]![MName] & "' WHERE (((tblCustStatement.CustIDNo)=
> > > " & [Forms]![frmCustomers]![txtCustomerID] & ") AND
> > > ((tblCustStatement.StatementNumber)= " &
> > > [Forms]![frmCustomers]![txtInvNumber] & "));"
> > >
> > > How do we handle the following situation where
> > [Forms]![frmCustomers]!MName
> > >
> > > includes an apostrophe?
> > >
> > >
> > > Regards
> > >
> > > David Emerson
> > > DALYN Software Ltd
> > > 25b Cunliffe St, Johnsonville
> > > Wellington, New Zealand
> > > Ph/Fax (877) 456-1205
> > >
> > > _______________________________________________
> > > dba-SQLServer mailing list
> > > dba-SQLServer at databaseadvisors.com
> > > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> > > http://www.databaseadvisors.com
> > >
> >
> >_______________________________________________
> >dba-SQLServer mailing list
> >dba-SQLServer at databaseadvisors.com
> >http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> >http://www.databaseadvisors.com
>
>_______________________________________________
>dba-SQLServer mailing list
>dba-SQLServer at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
>http://www.databaseadvisors.com
>
>_______________________________________________
>dba-SQLServer mailing list
>dba-SQLServer at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
>http://www.databaseadvisors.com



More information about the dba-SQLServer mailing list