Connecting Tech Pros Worldwide Help | Site Map
bytes > topic > asp classic > answers

SQL String Quotes

  #1  
Old November 15th, 2008, 07:15 PM
Scott
Guest
  
Posts: n/a
I've got a db that has a table called USERS that contains ip addresses for
each record. Below, I'm trying to select any user with an ip address equal
to the variable "usserIP". What are the proper quotes to use when using SQL
to compare a string variable to a text column?

The database is an Access 2000 database and I'm using ASP Classic.

CODE: ***********************

sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
  #2  
Old November 15th, 2008, 08:05 PM
Bob Barrows
Guest
  
Posts: n/a

re: SQL String Quotes

Scott wrote:
Quote:
I've got a db that has a table called USERS that contains ip
addresses for each record. Below, I'm trying to select any user with
an ip address equal to the variable "usserIP". What are the proper
quotes to use when using SQL to compare a string variable to a text
column?
The database is an Access 2000 database and I'm using ASP Classic.
>
CODE: ***********************
>
sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
With Jet, either full quotes or single quotes (apostrophes) may be used. Of
course, you could use parameters and never have to worry about delimiters
again, as well as eliminating the possibility that a hacker could compromise
your site using sql injection. See:
http://groups-beta.google.com/group/...e36562fee7804e



--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
  #3  
Old November 15th, 2008, 08:45 PM
Anthony Jones
Guest
  
Posts: n/a

re: SQL String Quotes


"Bob Barrows" <reb01501@NOyahoo.SPAMcomwrote in message
news:uubaMv1RJHA.588@TK2MSFTNGP06.phx.gbl...
Quote:
Scott wrote:
Quote:
>I've got a db that has a table called USERS that contains ip
>addresses for each record. Below, I'm trying to select any user with
>an ip address equal to the variable "usserIP". What are the proper
>quotes to use when using SQL to compare a string variable to a text
>column?
>The database is an Access 2000 database and I'm using ASP Classic.
>>
>CODE: ***********************
>>
> sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
>
With Jet, either full quotes or single quotes (apostrophes) may be used.
Of course, you could use parameters and never have to worry about
delimiters again, as well as eliminating the possibility that a hacker
could compromise your site using sql injection. See:
http://groups-beta.google.com/group/...e36562fee7804e
>
>
>
Whilst I agree completely that a command would be much better that
concatentation in this case if the REMOTE_ADDR from which the OP will be
drawing the IP address from has been hacked to contain something malicious
then the site is already in big trouble. ;)

--
Anthony Jones - MVP ASP/ASP.NET
Closed Thread

« previous question | next question »

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to pass date parameter into Oracle SQL string in VBA Doogster answers 1 January 9th, 2008 04:55 AM
php variable in sql string user answers 27 January 23rd, 2007 05:35 PM
what sql string has to be? JingleBEV answers 2 November 13th, 2005 01:53 AM
What sql string has to be? JingleBEV answers 2 July 17th, 2005 10:04 PM

/bytes/development

/bytes/it

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 225,662 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved