Using parameterized values in SQL statements

P

penfold1992

Registered User.
Local time
Today, 00:52
Joined
Nov 22, 2012
Messages
169
Hello,

I have been looking into a problem I have which appears quite common (the apostrophe problem!)

I've seen a common solution is to double up the apostrophe, replacing ' with " to avoid the special character however i also hear of another solution using "parameters".

I tried have a look around on the internet and got confused so I thought maybe it would be better to ask here.

I just want to change my INSERT INTO and UPDATE commands to be able to use this (to prevent a potential sql injection)
also i think its important to know im using DOA to code? (not sure if its important) either way, what can you tell me about this as a way around the apostrophe problem?
 
I would just simply use Chr(34). Easy..
Code: 
varName = "O'Connor"
strSQL = "SELECT someField FROM theTable " & _
         "WHERE nameField = " [COLOR=Blue][B]& Chr(34) &[/B][/COLOR] varName [COLOR=Blue][B]& Chr(34) &[/B][/COLOR] ";"
[COLOR=Green]' Or also.[/COLOR]
strSQL = "SELECT someField FROM theTable " & _
         "WHERE nameField = [COLOR=Blue][B]""[/B][/COLOR]" & varName & "[COLOR=Blue][B]""[/B][/COLOR];"
 
that doesnt prevent sql injection at all though
 
You must log in or register to reply here.

Similar threads

D
Class Factories - Parameterized Object Initialisation
Replies
9
Views
616
dalski
D
N
Implementing Parameterized Queries in DAO for Enhanced Security in Access- SQL Server Application
Replies
10
Views
3,215
mdlueck
M
I
How to automate importing 31 .csv files into SQL Server?
2
Replies
29
Views
2,303
Vassago
V
V
DLookup on a SQL statement
Replies
5
Views
821
VSolano
V
G
Setting up Sql Search to Sql Server backend using Connections
Replies
4
Views
282
Geirr
G

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom