SU_Oran wrote:
This is on my HTML page
<td align=center>
<textarea cols="85" rows="7" name="Problem"></textarea>
</td>
User enters information into this box.
If they use either a quote or double quote, but SQL statement bombs.
Is there a way quick way to fix this beforehand?
Conn.execute ("INSERT INTO PROBLEMS (Problem) VALUES ('" & Problem &
"')")
This is easily fixed by not using dynamic sql:
dim cmd, sSQL
sSQL = "INSERT INTO PROBLEMS (Problem) VALUES (?)"
set cmd=createobject("adodb.command")
cmd.commandtext=sSQL
set cmd.activeconnection=conn
cmd.Execute ,array(Problem),129
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"