Maziar Aflatoun wrote:
Hi everyone,
I have a form that stores the information it collects into a
database. However, for textboxes if I have a user input as something
like
this 's 'sda, the ' causes it to fails (ex. Incorrect syntax near
's'...etc). Is there a function that would make this database safe?
Thank you
Maz.
Apart from Justin's suggestion, you can also use the Parameters
collection of the OleDbCommand or SqlCommand.
For instance: (this is for Visual Basic)
Dim strSQL As String =
"INSERT INTO myTable (Name,Address) VALUES (@Name,@Address)"
Dim cm As New OleDbCommand(strSQL,conn)
cm.Parameters.Add("@Name",nameFromUserInput)
cm.Parameters.Add("@Address",addressFromUserInput)
myList.DataSource=cm.ExecuteReader()
This code will take care of the quotes (note that it will also automatically
add quotes around string data in the SQL command).
It will convert DateTime input to the correct format for SQL as well.
On top of that, this code will also prevent hackers from inserting
unsafe commands into the SQL string.
--
Jos Branders