[RESOLVED] SQL Statement for newbie !
Hi everybody ! I'm a new one in ADO and SQL Statement...
Two questions for you:
1) Is it normal that my statement got many (") ??? if answer it's no, is there a simple way to write this ???
strSQL = "SELECT * FROM " & adoTable & " WHERE " & adoField & " = " & "'" & adoCombo.Text & "'"
2) Finally, sometime I got an error because the value of adoCombo.Text = Column 6" x 8'
Error: Syntax error (missing operator) in query expression...
I thought it's because the (') after 8 and I tried to put 96" and I a got the same error ???
Thanks in advance for your help !
Re: SQL Statement for newbie !
The " and ' are marking the end of the string statements (the SQL) which happens in the middle of your statement. You need to use parameters or do a preplace on the 6" x 8' like this:
VB Code:
dim strTest as string
strTest = Replace(adoCombo.Text,"'","''")
strTest = Replace (strTest.Text """","""""")
Look at the qoute marks really carefully. The are some single qoutes that are doubled up and some double qoutes to double doubles and quad doubles.
Re: SQL Statement for newbie !
And
Code:
strSQL = "SELECT * FROM " & adoTable & " WHERE " & adoField & " = " & "'" & adoCombo.Text & "'"
I see nothing wrong with this statement.
Re: SQL Statement for newbie !
1) You really shouldn't be using generic sql like that.... you should use specific SQL, where the Table and field(s) are known.
Code:
strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
2) Now is a good time to learn about parameterized queries. It's the use of " AND ' that is your problem. They are used by SQL as text indicators.... more on the solution in a sec
3) Another reason fo parameterized queries is security. LEt's use your query as an example:
Code:
strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
What would happen if adboCombo contained this: '; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = '
Your resulting SQL would look like this:
SELECT * FROM MyTable WHERE myField = ''; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = ''
As you can see.... that would be very bad, now wouldn't it?
But if you use a parameterized query:
Code:
strSQL = "SELECT * FROM MyTable WHERE myField = @FldParam"
Then use the .CreateParameter (of the command object) to create a paremeter and it's value to pass in, then add it to the parameters collection using .Parameters.Add (again, in the command object).
Hope this is enough info to get you started looking in the right places
-tg
edit: ugh... Gary - geezes... what's with the grep solution? Why does eveyone think that solves things? IMHO that just makes it worse since you're modifying data. Data should never be modified just to store it in the DB. Hack - this trout's for you while syntaticaly correct, there's everything wrong with it.
Re: SQL Statement for newbie !
See also this thread for a similar notes about sql concatenation.
http://vbforums.com/showthread.php?t=426312
-tg
Re: SQL Statement for newbie !
Quote:
Originally Posted by GaryMazzone
The " and ' are marking the end of the string statements (the SQL) which happens in the middle of your statement. You need to use parameters or do a preplace on the 6" x 8' like this:
VB Code:
dim strTest as string
strTest = Replace(adoCombo.Text,"'","''")
strTest = Replace (strTest.Text """","""""")
Look at the qoute marks really carefully. The are some single qoutes that are doubled up and some double qoutes to double doubles and quad doubles.
Thanks again !
Quote:
Originally Posted by Hack
And
Code:
strSQL = "SELECT * FROM " & adoTable & " WHERE " & adoField & " = " & "'" & adoCombo.Text & "'"
I see nothing wrong with this statement.
Cool ! It's complicated to read because there are many (")
Re: SQL Statement for newbie !
Quote:
Originally Posted by techgnome
2) Now is a good time to learn about parameterized queries. It's the use of " AND ' that is your problem. They are used by SQL as text indicators.... more on the solution in a sec
Hope this is enough info to get you started looking in the right places...
Thanks you too ! I will check for this !
