1) You really shouldn't be using generic sql like that.... you should use specific SQL, where the Table and field(s) are known.
2) Now is a good time to learn about parameterized queries. It's the use of " AND ' that is your problem. They are used by SQL as text indicators.... more on the solution in a secCode:strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
3) Another reason fo parameterized queries is security. LEt's use your query as an example:
What would happen if adboCombo contained this: '; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = 'Code:strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
Your resulting SQL would look like this:
SELECT * FROM MyTable WHERE myField = ''; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = ''
As you can see.... that would be very bad, now wouldn't it?
But if you use a parameterized query:
Then use the .CreateParameter (of the command object) to create a paremeter and it's value to pass in, then add it to the parameters collection using .Parameters.Add (again, in the command object).Code:strSQL = "SELECT * FROM MyTable WHERE myField = @FldParam"
Hope this is enough info to get you started looking in the right places
-tg
edit: ugh... Gary - geezes... what's with the grep solution? Why does eveyone think that solves things? IMHO that just makes it worse since you're modifying data. Data should never be modified just to store it in the DB. Hack - this trout's for you while syntaticaly correct, there's everything wrong with it.




Reply With Quote