[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

allow users to enter single quotes in text box

I would like to allow people to use single quotes while writing something in a text box that will be updated in a DB.

Currently if people try to type for example: "Friend's"  there is an error.

Can someone help me modify my code below to allow me to do this?

sql = "UPDATE tblData SET back_colour = '" & request("bcolor") & "', font_size = '" & request("fsize") & "', main_text = '" & request("mtext") & "', page_name = '" & request("pname") & "', modified=true WHERE email ='" & session("usersession") & "'"

I need it to be enabled for the whole sql statement and not just one DB field.

Thanks
0
sh00tar
Asked:
sh00tar
  • 3
2 Solutions
 
kevp75Commented:
use replace(request("FieldName"),"'","`")
0
 
kevp75Commented:
or:
Function SQLInjectProtect(str)
   SQLInjectProtect = replace(str,"'","`")
End Function

and replace:sql = "UPDATE tblData SET back_colour = '" & request("bcolor") & "', font_size = '" & request("fsize") & "', main_text = '" & request("mtext") & "', page_name = '" & request("pname") & "', modified=true WHERE email ='" & session("usersession") & "'"

with:
sql = "UPDATE tblData SET back_colour = '" & SQLInjectProtect(request("bcolor")) & "', font_size = '" & SQLInjectProtect(request("fsize")) & "', main_text = '" & SQLInjectProtect(request("mtext")) & "', page_name = '" & SQLInjectProtect(request("pname")) & "', modified=true WHERE email ='" & SQLInjectProtect(session("usersession")) & "'"
0
 
alorentzCommented:
shootar - the proper(most common) way to do this is to replace the ' with ''.  Similar to kevp75 answer, but like this:

function fmtSQL(txt)
'FORMAT DYNAMIC SQL TEXT
 txt = replace(txt, "'", "''")
 fmtSQL = txt
end function

0
 
sh00tarAuthor Commented:
Thank you both for the great anwers.  I will give the majority of the points to kevp75 since he was first to respond and gave me both the function and the sql line.

alorentz gave me the function that I'm using right now since i didn't want to change ' into ` as was the case with kevp75's code.

Thank you both.

I have another question which I hope any of you might be able to help me with.  Found on this page:

I don't know if I'm able to make links in this box but i'll try.

<a href="http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21815209.html">This Page</a>


Once again, Thank you.
0
 
kevp75Commented:
glad I could help, thanks for the grade
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now