escape sql statements (1 Viewer)

D

dreamdelerium

Registered User.
Local time
Today, 10:40
Joined
Aug 24, 2007
Messages
88
hi everyone. when i send an sql statement to update a table or add a record i am using the replace function [ie, replace (something, "'", "''")] to remove all single quotes from my string. are there other characters i need to remove as well that might cause problems? here is an example of my insert strings:

Code: 
For i = 0 To 186
InsertString = InsertString & "Q" & Format(i, "000") & ","
Next i
GetLength = Len(InsertString) - 1
InsertString = Left(InsertString, GetLength)
For i = 0 To 186
InsertString1 = InsertString1 & Replace(Forms![frmSection1].Controls("Q" & Format(i, "000")).Value, "'", "''") & "','"
Next i
GetLength = Len(InsertString1) - 1
InsertString1 = Left(InsertString1, GetLength)
MyNewString = "Insert into tblSection1 (QuestionaireID,DistrictID,FacilityID,SectionID,StudyID," & InsertString & ") " _
& "values ('" & q1 & "','" & GetDistrict & "','" & GetFacility & "','1','" & GetCode & "','" & InsertString1 & ")"
 
GetLength = Len(MyNewString) - 2
MyNewString = Left(MyNewString, GetLength)
MyNewString = MyNewString & ")"
MyNewString = MyNewString
buildMyStringForm1 = MyNewString

i know it looks a bit screwed up but this was the fastest way to create an insert sql statement with 187 inserts. thanks for the help
jason
 
N

namliam

The Mailman - AWF VIP
Local time
Today, 19:40
Joined
Aug 11, 2003
Messages
11,695
having a table with columns Q001, 002, 003,...., 186 smells like something that NEEDS redesigning...

Since you are enclosing your strings inside the SQL by ' you only have to escape/replace the ', nothing more nothing less.
 
D

dreamdelerium

Registered User.
Local time
Today, 10:40
Joined
Aug 24, 2007
Messages
88
that was the best way i could think of to design it. if you know a better way id appreciate the help. the database is meant to capture responses to a survey. the survey has 7 sections. each section has about 50-200 questions. i have 8 tables (one table as the master table, 7 as children, one for each section) so, when i want to insert the responses into a table (depending on what section is being saved) i run an sql command similar to the one i posted earlier. this way i prevent mistakes in the sql statements, its quick, and i can reuse the code for every section with minor changes.

anywho, the point of my last post was to ask if there are other charachters that i need to be aware of that could cause problems when run in an sql statement
 
N

namliam

The Mailman - AWF VIP
Local time
Today, 19:40
Joined
Aug 11, 2003
Messages
11,695
OK, So the design I would suggest is something like:
Master Key, Section NR, Question NR, Answer

This way you only have one table with limitless sections, limitless questions. Instead of beeing limited to 7 tables/sections with again a limited number of questions inside it.

anywho, your orignal question I answered in my previous post as well...

Me said:
Since you are enclosing your strings inside the SQL by ' you only have to escape/replace the ', nothing more nothing less.
Click to expand...
 
You must log in or register to reply here.

Similar threads

V
Incorrect SQL Statement while using more than one criteria
Replies
13
Views
909
jameswatson12
J
isladogs
  • Locked
Show Plan - Run Faster
Replies
3
Views
3,355
isladogs
isladogs
C
Variables in SQL string statements.
Replies
2
Views
1,531
Clepto
C
C
Quotes and Apostrophies in SQL Statements
Replies
7
Views
970
craigachan
C
D
Search form will not return exact with wildcard SQL
Replies
12
Views
2,190
vbaInet
V

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Top Bottom