Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > asp classic > answers

SQL String Quotes

Scott
Guest
  
Posts: n/a
#1: Nov 15 '08
I've got a db that has a table called USERS that contains ip addresses for
each record. Below, I'm trying to select any user with an ip address equal
to the variable "usserIP". What are the proper quotes to use when using SQL
to compare a string variable to a text column?

The database is an Access 2000 database and I'm using ASP Classic.

CODE: ***********************

sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"

Bob Barrows
Guest
  
Posts: n/a
#2: Nov 15 '08

re: SQL String Quotes

Scott wrote:
Quote:
I've got a db that has a table called USERS that contains ip
addresses for each record. Below, I'm trying to select any user with
an ip address equal to the variable "usserIP". What are the proper
quotes to use when using SQL to compare a string variable to a text
column?
The database is an Access 2000 database and I'm using ASP Classic.
>
CODE: ***********************
>
sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
With Jet, either full quotes or single quotes (apostrophes) may be used. Of
course, you could use parameters and never have to worry about delimiters
again, as well as eliminating the possibility that a hacker could compromise
your site using sql injection. See:
http://groups-beta.google.com/group/...e36562fee7804e



--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Anthony Jones
Guest
  
Posts: n/a
#3: Nov 15 '08

re: SQL String Quotes


"Bob Barrows" <reb01501@NOyahoo.SPAMcomwrote in message
news:uubaMv1RJHA.588@TK2MSFTNGP06.phx.gbl...
Quote:
Scott wrote:
Quote:
>I've got a db that has a table called USERS that contains ip
>addresses for each record. Below, I'm trying to select any user with
>an ip address equal to the variable "usserIP". What are the proper
>quotes to use when using SQL to compare a string variable to a text
>column?
>The database is an Access 2000 database and I'm using ASP Classic.
>>
>CODE: ***********************
>>
> sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
>
With Jet, either full quotes or single quotes (apostrophes) may be used.
Of course, you could use parameters and never have to worry about
delimiters again, as well as eliminating the possibility that a hacker
could compromise your site using sql injection. See:
http://groups-beta.google.com/group/...e36562fee7804e
>
>
>
Whilst I agree completely that a command would be much better that
concatentation in this case if the REMOTE_ADDR from which the OP will be
drawing the IP address from has been hacked to contain something malicious
then the site is already in big trouble. ;)

--
Anthony Jones - MVP ASP/ASP.NET
Closed Thread

« previous question | next question »

Similar ASP / Active Server Pages bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,501 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved