Results 1 to 7 of 7

Thread: single quotes in SQL statement

  1. Jun 24th, 2004, 11:56 AM #1
    vbdotnetboy
    vbdotnetboy is offline

    Thread Starter
    Frenzied Member vbdotnetboy's Avatar
    Join Date
    Jun 2004
    Location
    Lewisburg, PA "Next year Raiders in the Super Bowl"
    Posts
    1,310

    single quotes in SQL statement

    if i have a value that has to be insterted into a field in Access but the value has a single quote, ie. Example's. if i write the instert statement the following way would it work?


    VB Code:
    1. dim sql as string = "insert into THETABLE (THEFIELD) values(" & """example's""" & ")"

    Derek - Using VS 2008 99% of the time and VS 2003 1% of the time

    Please Help Us To Save Ana

    ● Helpful Links: DNR TV | Awesome site for tips | Using ADO.NET to work with Excel | Xml Namespace 2.0 Framework Changes|Ultra High Security Password Generator | Mendhak's ADO.NET Tutorial
    ● Code Bank: Random Password Generator | Generic DbProviderFactory Access
    ● Site Work: Bottle Run Xtreme | Spaids Racing.com

    Company I work for - CSSI

    WHEN POSTING PLEASE INDICATE VERSION

    Please use vbcode tags or code tags when posting code
    [highlight=vb]ALL your code goes here[/highlight] or [code]ALL your code goes here[/code]

    If my post helped you in anyway... please be kind and give me some ratings
    Reply With Quote Reply With Quote
  2. Jun 24th, 2004, 11:59 AM #2
    SeanGrebey
    SeanGrebey is offline
    Frenzied Member
    Join Date
    Mar 2004
    Location
    Orlando, FL
    Posts
    1,618
    I usually do replaces on all my SQL statements that don't use parameters just in case.

    Replace(strSQL,"'","''") that is one single quote with two single quotes.
    Sean

    Some days when I think about the next 30 years or so of my life I am going to spend writing code, I happily contemplate stepping off a curb in front of a fast moving bus.
    Reply With Quote Reply With Quote
  3. Jun 24th, 2004, 12:41 PM #3
    salvelinus
    salvelinus is offline
    Frenzied Member
    Join Date
    Feb 2003
    Location
    Argentina
    Posts
    1,950
    That's how I do it too.
    Reply With Quote Reply With Quote
  4. Jun 24th, 2004, 04:40 PM #4
    Redth
    Redth is offline
    Fanatic Member Redth's Avatar
    Join Date
    May 2001
    Location
    Ontario, Canada
    Posts
    551
    Might i recommend instead of doing it this way, .NET has a much better way of adding parameters to a sql query.

    For instance, try this:

    Dim sql as string = "insert into THETABLE (THEFIELD) values (@thefield)"

    Dim objCmd As OleDbCommand = New OleDbCommand(sql, objCon)

    objCmd.Parameters.Add("@thefield", textbox1.Text)


    Notice that if i do it this way i don't have to worry about any single quotes surrounding a string to be insertted into a Text field or anything, or even replacing single quotes that would mess up the sql query. This method does that all for you, and better yet, it even checks for and stops SQL Injection attacks!

    This is the new recommended way to do things
    Reply With Quote Reply With Quote
  6. Jun 25th, 2004, 06:20 AM #5
    vbdotnetboy
    vbdotnetboy is offline

    Thread Starter
    Frenzied Member vbdotnetboy's Avatar
    Join Date
    Jun 2004
    Location
    Lewisburg, PA "Next year Raiders in the Super Bowl"
    Posts
    1,310
    thanx Redth...did the trick....still learning or converting over to the .NET side of things...thanx again

    Derek - Using VS 2008 99% of the time and VS 2003 1% of the time

    Please Help Us To Save Ana

    ● Helpful Links: DNR TV | Awesome site for tips | Using ADO.NET to work with Excel | Xml Namespace 2.0 Framework Changes|Ultra High Security Password Generator | Mendhak's ADO.NET Tutorial
    ● Code Bank: Random Password Generator | Generic DbProviderFactory Access
    ● Site Work: Bottle Run Xtreme | Spaids Racing.com

    Company I work for - CSSI

    WHEN POSTING PLEASE INDICATE VERSION

    Please use vbcode tags or code tags when posting code
    [highlight=vb]ALL your code goes here[/highlight] or [code]ALL your code goes here[/code]

    If my post helped you in anyway... please be kind and give me some ratings
    Reply With Quote Reply With Quote
  7. Jun 28th, 2004, 03:28 PM #6
    MrGTI
    MrGTI is offline
    Frenzied Member MrGTI's Avatar
    Join Date
    Oct 2000
    Location
    Ontario, Canada
    Posts
    1,277
    That was an INSERT statement. How do you do it when it's a SELECT statement? For example,...

    Code:
    SELECT * FROM tbl_One WHERE Field = 'userdatehere';
    The SQL statement is passed into a SqlDataAdapter when created, so you can't use the SqlCommand object. So how do you use SqlParameter method with a SELECT statement?
    ~Peter

    Reply With Quote Reply With Quote
  8. Jun 28th, 2004, 04:37 PM #7
    TLord
    TLord is offline
    Lively Member TLord's Avatar
    Join Date
    Jun 2004
    Posts
    95
    Guys guys,
    when you use SQl server, OLEDB objects are irrelevant.
    This is the perfect code for adding parameters (assuming that you previously declared SqlConnection(Conn) and SqlDataAdapter(DAdap) objects, in order to use these references you MUST import the System.Data.SqlClient Class):
    VB Code:
    1. DAdap.InserCommand = New SqlCommand("insert into THETABLE (THEFIELD) values (@Val)", Conn)

    2. Dim Prm as SqlParameter = DAdap.InsertCommand.Parameters.Add(New SqlParameter("@Val", SqlDbType.Char))

    3. Prm.SourceColumn = "THEFIELD"

    4. Prm.SourceVersion = DataRowVersion.Current
    Do you think my life is easy?
    Do you think it's good to win?
    do you think it's nice to kill?
    Do you think learning is a must?
    Do you think computers are nothing?
    Do you think this post is stupid?
    Do ypu think we're really humen?

    DO YOU THINK IT'S GOOD TO THINK AT ALL? ? ? ! ! !
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width