Solved

How to replace ' (apostrophe) on a database search.

Posted on 2006-06-19
10
1,133 Views
Last Modified: 2008-01-09
Right now, when a user try's to search with an ' they get an error.  Normally, i can use the below syntax to replace the ' so it won't think it's an end of statement.  That's not working here.  What can I do in this instance?

########
HTML CODE
########

<b>Search by Employee Name</b>
<form method="post" action="/relyco/cgi-bin/search_emp_name.asp" name="form2">
<input type="text" name="EmpName" size="40"></form>

################
search_emp_name.asp
################
<%

EmpName                              = Request( "EmpName" )
EmpName                              = Replace(  EmpName,"'","''" )

Dim rs
Set rs = Server.CreateObject("ADODB.recordset")
rs.open "select * from SalesLead where EmpName LIKE '" & Request.Form("EmpName") & "%' ORDER BY ID", "DSN=relyco"

%>
0
Comment
Question by:bschwarting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:inviser
ID: 16937848
Can you post the error you are getting because your code looks fine
0
 
LVL 2

Expert Comment

by:Ghasano
ID: 16937859
try replacing :
EmpName                         = Request( "EmpName" )
EmpName                         = Replace(  EmpName,"'","''" )

to :

EmpName = CStr(trim(Request( "EmpName" )))
EmpName = CStr(trim(Replace(EmpName, "'", "''")))



0
 
LVL 6

Expert Comment

by:inviser
ID: 16937866
Nevermind, I found the problem, do this, you forgot the use EmpName in the query

<%
EmpName                         = Request( "EmpName" )
EmpName                         = Replace(  EmpName,"'","''" )

Dim rs
Set rs = Server.CreateObject("ADODB.recordset")
rs.open "select * from SalesLead where EmpName LIKE '" & EmpName & "%' ORDER BY ID", "DSN=relyco"
%>
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:Ghasano
ID: 16937884
change :
rs.open "select * from SalesLead where EmpName LIKE '" & Request.Form("EmpName") & "%' ORDER BY ID", "DSN=relyco"

to :

rs.open "select * from SalesLead where EmpName LIKE '%" & EmpName & "% ORDER BY ID", "DSN=relyco"
0
 
LVL 2

Expert Comment

by:Ghasano
ID: 16937898
there must be %% and you forgot to write the second %
0
 
LVL 2

Expert Comment

by:Ghasano
ID: 16937910
sorry i forgot ...
change
rs.open "select * from SalesLead where EmpName LIKE '%" & EmpName & "% ORDER BY ID", "DSN=relyco"

to

rs.open "select * from SalesLead where EmpName LIKE '%" & EmpName & "%' ORDER BY ID", "DSN=relyco"
0
 
LVL 26

Accepted Solution

by:
DireOrbAnt earned 500 total points
ID: 16937911
bschwarting,

You forgot to use your formatted variable in the SQL call.

Instead of:
rs.open "select * from SalesLead where EmpName LIKE '" & Request.Form("EmpName") & "%' ORDER BY ID", "DSN=relyco"

Use:
rs.open "select * from SalesLead where EmpName LIKE '" & EmpName & "%' ORDER BY ID", "DSN=relyco"

That will fix your issue. However, you probably want to use Stored Procedure instead of calling a SELECT *. This will help in many ways. For one, you won't need to parse the quote, but it will also help for security (injection attacks), optimization and so on.
0
 
LVL 1

Author Comment

by:bschwarting
ID: 16937944
hit the nail on the head DireOrbAnt!!!  thanks!
0
 
LVL 26

Expert Comment

by:DireOrbAnt
ID: 16938685
Others have posted a similar response as I was typing mine. I hope they get credit from it.
0
 
LVL 1

Author Comment

by:bschwarting
ID: 16942095
DireOrbAnt, yours was the perfect syntax.  the others were all off just a bit.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question