Problem with characters like ' (single quotes) in the query

  • Thread starter Thread starter m_asu
  • Start date Start date
M

m_asu

Guest
Hi All,

I have a discussion forum application through which users submit messages. Users write in the text box, which is then processed by Java into a String query and then executeQuery puts it into MS ACcess database.

My question:

Some characters like ' (single quotes) can screw up the SQL query syntaxt and then the user can get an error and the message may never be posted. I have taken care of the single quote as follows: (assume String variable 'data' represents the message to be posted).
data = data.replaceAll("'", "''");

What this basically does replaces all the single quotes by 2 single quotes each. Thus the query syntax will by maintained. Are there any other characters which can screw up the SQL syntax and which I may have to replace before processing the query?

Thanks in advance.

m_asu
 
# could cause a problem as this is what you use in SQL to surround dates.
 
dates in a string

But I am sure that if the date is part of the message String, then it wont cause any problems.

Example: If user tries to post:

My birthday is same as your's: i.e. 01/01/78

---

If above message is being put into String variable and then into SQL, the only manipulation that I will have to do before make it into an SQL statement is that I replace ' with ''.

Right? Or date will also make create complications?

If I am comparing dates then I will have to use #. not otherwise.
right?

thanks in advance.

m_asu
 
You're confusing me. Are you saying that you're taking a complete message and putting it in the Where clause of the SQL statement? Show me your SQL if you don't mind.
 
M_asu
I am having the identical problem you mentioned with single quotes
Trouble is your solution is neat but not enough for me as I need to have the string exactly as the user enters it without replacing single quotes with double
Is there any other way ? e.g to surround that part of the sql with brackets etc so that it takes all the text as one string?
Or a string in a string?
Thanks
 
Happy
As the double quote is less likely to occur in text strings, you can use the double quote as the text delimiter, e.g. instead of using,

SQL = "Select * from Table1 where Description ='" & Me.txtSearchString & "'"

you can use,
SQL = "Select * from Table1 where Description =""" & Me.txtSearchString & """"
 
Thanks Jon to my rescue again.
Can you be more specific. It stops on the line
If (DCount("*", "tblprinter", "[strprinter] = '" & strPrinterNew & " '")) > 0 Then

strprinternew is the text with the single quote
So how do I replace it
Thanks
 
If (DCount("*", "tblprinter", "[strprinter] = """ & strPrinterNew & """")) > 0 Then


i.e. replace each single quote with two double quotes.
 
Thanks Jon that works a treat
Is that always true i.e. One can replace a single quote with 2double?
 
Yes, we can always use the double quotes as the text delimiter instead of the normal single quotes. Just replace each of the normal single quotes with two consecutive double quotes.
 
You must log in or register to reply here.

Similar threads

P
Solved Query to Get First and Last Record in a Single Row
Replies
17
Views
804
Pat Hartman
P
F
Your Query does not include the specified Expression ‘ID’ as part of an Aggregate Function
Replies
8
Views
561
June7
June7
AOB
Solved Parameterised query requires me to re-cast parameter in order to run (?)
Replies
6
Views
252
AOB
AOB
AOB
Solved Insert records where ID combination not already present (JOIN expression not supported)
Replies
2
Views
173
arnelgp
arnelgp
S
Getting total in one line of the query
Replies
13
Views
223
silentwolf
S

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom