Maybe you should use a stored procedure or parameters instead of
building the string manually. Then you don't have to worry about the '
issue, and you don't have to worry about a sql injection attack.
instead of
sSQL = "update table set column='" + sSomeVariable + "' where x='" +
sSomeValue + "'"
do
sSQL = "update table set column=@sValue where x=@sKey"
Then, if it's a command object in ado or ado.net, add parameters to
your command object containing the values.
Personally, I prefer to put the update in the stored procedure then
pass parameters to the stored procedure.
But, if you want to do it the string way...
sSQL = "update table set column='" + replace(sSomeVariable, "'", "''")
+ "' where x='" + replace(sSomeValue, "'", "''") + "'"
Assuming vb/asp there. .net would be sSomeVariable.Replace("'", "''")
"Qwiati" <qw****@wp.pl> wrote in message news:<c5**********@news.onet.pl>...
"Steven Wilmot" <st*********@wilmot.me.uk> wrote in message
news:40***********************@news.aaisp.net.uk.. .
"Qwiati" <qw****@wp.pl> wrote in message news:c5*********@news.onet.pl... Hi
My user has put ' with editable place and then press enter so this same way put text information with ' string into database.
When I try tu user command : UPDATE and try to change text with ' and use command WHERE = ('text'') then I just received error command from SQL2000 server - I know what kind of problem is but i need your hel to get some
diferent command or method to change wrong put information
Thx for your qiuck help
Kayser
Replace any occurrence of {quote} in your string with {quote}{quote}.
e.g.
update mytable set field = ' doesn''t ... ' where field = 'does not'
hmmm but let me show you what I have:
update mytable set field = 'blabla' where field = 'blabla" - this is my
problem because of the end of text I have in database have this --> ' <--
so if I set command: where filed = 'blabla" then I have .......syntax error
:D
Or I dont undersood waht you would like to tell me ;)