I have been looking for how to INSERT text with an apostrophe in it into
SQL example:
dim TEXT as string
text = "TEST'S"
INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"
This doesn't crash my program but it give me a error and doesn't insert
the string correctly.
Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
with a replace(mystrin g, "'", "/'")
Any help would be great thanks
Tom
*** Sent via Developersdex http://www.developersdex.com *** 5 13501
Have you tried escaping it with another ', i.e. something like
....VALUES('" & strText.Replace ("'", "''") & "')"
Or use a SqlCommand object and add the strings using
parameter objects without escaping them.
?
/JB
On Wed, 28 Dec 2005 07:10:58 -0800, Thomas Beyerlein <tb***@yahoo.co m>
wrote: I have been looking for how to INSERT text with an apostrophe in it into SQL example:
dim TEXT as string text = "TEST'S" INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"
This doesn't crash my program but it give me a error and doesn't insert the string correctly.
Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/', with a replace(mystrin g, "'", "/'")
Any help would be great thanks Tom
*** Sent via Developersdex http://www.developersdex.com ***
"Thomas Beyerlein" <tb***@yahoo.co m> schrieb: I have been looking for how to INSERT text with an apostrophe in it into SQL example:
dim TEXT as string text = "TEST'S" INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"
This doesn't crash my program but it give me a error and doesn't insert the string correctly.
Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/', with a replace(mystrin g, "'", "/'")
Use a parameterized command object instead, which will perform escaping
automatically.
Sample:
<URL:http://www.vb-tips.com/?ID=550279ec-6767-44ff-aaa3-eb8b44af0137>
--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://classicvb.org/petition/>
Thomas,
As Herfried suggests.
Use parameterized command objects! As it avoids SQL injection attacks! http://msdn.microsoft.com/msdnmag/is.../SQLInjection/
Of course parameterized command objects also escapes apostrophe's
correctly...
--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net
"Thomas Beyerlein" <tb***@yahoo.co m> wrote in message
news:OG******** ******@TK2MSFTN GP11.phx.gbl...
|
| I have been looking for how to INSERT text with an apostrophe in it into
| SQL example:
|
| dim TEXT as string
| text = "TEST'S"
| INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"
|
| This doesn't crash my program but it give me a error and doesn't insert
| the string correctly.
|
| Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
| with a replace(mystrin g, "'", "/'")
|
| Any help would be great thanks
| Tom
|
|
| *** Sent via Developersdex http://www.developersdex.com ***
Jay,
As there is one thing that Bill Vaughn agree about (not the only thing) than
is it that this article that you shows should not be on MSDN. For us it is
an invitation for attacks.
As well I have seen often told, is that the parameter does prevent attacks.
In my opinion was there a flauw in SQL server 2000 that was less easy with
parameters and therefore should be used. AFAIK is that now protected by
Servicepack 3.
In the article that you show, I have often tried to find why a parameter
would prevent the attack. I never got it from this article, for me it only
explains how you can do an attack if you have the rights to give a text
command to a SQLserver. A parameter does than protect nothing.
For me the parameter is worthfull because is seamless connects .Net with
databaseservers .
However, maybe can you point me on the part of the article where it shows
that a parameter protects against attacks (not only by telling that).
Cor
Cor,
The section titled "Avoid Dynamic SQL" explains why parameterized SQL
prevents it.
If you need an explanation of how parameterized SQL works verses dynamic
SQL, on the server, you may want to ask "down the hall" in one of the SQL
newsgroups.
--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net
"Cor Ligthert [MVP]" <no************ @planet.nl> wrote in message
news:OQ******** ********@TK2MSF TNGP09.phx.gbl. ..
| Jay,
|
| As there is one thing that Bill Vaughn agree about (not the only thing)
than
| is it that this article that you shows should not be on MSDN. For us it
is
| an invitation for attacks.
|
| As well I have seen often told, is that the parameter does prevent
attacks.
| In my opinion was there a flauw in SQL server 2000 that was less easy with
| parameters and therefore should be used. AFAIK is that now protected by
| Servicepack 3.
|
| In the article that you show, I have often tried to find why a parameter
| would prevent the attack. I never got it from this article, for me it only
| explains how you can do an attack if you have the rights to give a text
| command to a SQLserver. A parameter does than protect nothing.
|
| For me the parameter is worthfull because is seamless connects .Net with
| databaseservers .
|
| However, maybe can you point me on the part of the article where it shows
| that a parameter protects against attacks (not only by telling that).
|
| Cor
|
| This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Terry Asher |
last post by:
The following script does NOT escape the Apostrophe.
Meaning when you mouseover the image the Alt tag
says this: DMACC, It and then it stops.
<SCRIPT Language="JavaScript">
var pos = "DMACC, It\'s the Smart Thing to Do.";
document.write("<img name=img5 id=img5 src='/homepage/dmaccstudent" +
Math.floor(Math.random() *20) +
".jpg' WIDTH=145 HEIGHT=230 border=0 ALT='"+pos+"'>");
</SCRIPT>
|
by: KathyB |
last post by:
Hi, not sure this is the right group, but hoping someone may have
experienced this.
I'm passing html text as a parameter to a javascript. When it has an
apostrophe in it, of course it does parse correctly. BTW, using IE6
and msxml3/4.
Even if I manually escape the ' with \' or '' the browser just sees it
as \' or '' and not as an escaped apostrophe.
|
by: soup_or_power |
last post by:
Hello All:
I'm having a whale of a problem with the following code. When the words
beginning with sugg contain an escaped single-quote (\' ==> back-slash
followed by quote) the script causes an error. How can I preserve the
single quote. Please review the code below and let me know. Many
thanks!
function clicker( but_id, sugg0, sugg1, sugg2, sugg3, sugg4, sugg5,
copy_type, p1) {
|
by: Matthew Wieder |
last post by:
In my previous post, I asked about a routine which prepares a string for
an XPath query by taking care of escape characters.
Unable to find a list, I'm now wondering assumign I enclose the
attribute value in quotes in my XPath query, what other escape
characters need to be handled aside from a quotation mark? As I
understand it, an apostrophe wouldn't be a problem since I'm enclosing
the string in quotes.
thanks!
|
by: Jeff S |
last post by:
In a VB.NET code behind module, I build a string for a link that points to a
JavaScript function. The two lines of code below show what is relevant.
PopupLink = "javascript:PopUpWindow(" & Chr(34) & PopUpWindowTitle & Chr(34)
& ", " & Chr(34) & CurrentEventDetails & ")"
strTemp += "<BR><A HREF='#' onClick='" & PopupLink & "'>" & EventName &
"</A><BR>"
The problem I have is that when the string variables or
contain a string with an...
| |
by: Harry Keck |
last post by:
Is there a set of methods in the .Net framework that do the same thing as the
jscript functions escape and unescape?
I get very close with HttpUtility.UrlEncodeUnicode, but it puts "+" for
spaces instead of "%20". Uri.EscapeString seems to create the correct escape
string, but there is no unescape. The function is not public anyway, so I
probably shouldn't use it.
I need a way to escape text on the client, and then unescape it on the...
|
by: Axel Dahmen |
last post by:
Hi,
within a DataGrid control I'm using a DataTable containing a string column
to fill a Hyperlink's href attribute. Unfortunately HttpUtility.UrlEncode()
doesn't escape the apostroph character, thus ruining some of my hrefs.
How do I correctly escape any character using a Page's current encoding (I
don't want to hard-code the encoding)?
TIA,
|
by: Lawrence D'Oliveiro |
last post by:
The "escape" function in the "cgi" module escapes characters with special
meanings in HTML. The ones that need escaping are '<', '&' and '"'.
However, cgi.escape only escapes the quote character if you pass a second
argument of True (the default is False):
'the "quick" & <brown> fox'
'the "quick" & <brown> fox'
This seems to me to be dumb. The default option should be the safe one: that
is, escape _all_ the potentially troublesome...
|
by: Earl |
last post by:
Anyone know why the RowFilter has to be double-escaped? Anticipating names
with apostrophes, a single escape does not provide the proper name to filter
on.
For example, this would cause an exception:
Dim strname As String
strname = txtContact.Text
strname.Replace("'", "''")
dv.RowFilter = "ContactFullName='" + strname + "'"
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |