Solved

Replace statement in update ASP.NEt

Posted on 2007-03-27
4
194 Views
Last Modified: 2010-03-19
I need to include a replace statement in the following code.
        Dim oCom2 As SqlCommand = New SqlCommand
        oCom2.Connection = objConn
        objConn.Open()
        Dim sSQL As String
        sSQL = "Update dbo.tblAdTxt "
        sSQL = sSQL & "Set adtxt = '" & ManagedText.Html & "'"
        sSQL = sSQL & ", txtTitle = '" & txtTitle.Text & "'"
        sSQL = sSQL & ", AdType = '" & ListAdType.SelectedValue & "'"
        sSQL = sSQL & ", wrdCnt = '" & Request.Params("txtWordCnt") & "'"

        sSQL = sSQL & " where txtAdID=" & Request.QueryString("txtAdID")
        oCom2.CommandText = sSQL
        oCom2.ExecuteNonQuery()
        oCom2.Dispose()

I need for the
sSQL = sSQL & "Set adtxt = '" & ManagedText.Html & "'"

to allow for an apostrophe in it.
Replace(ManagedText.Html ,"'","''")
0
Comment
Question by:lrbrister
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 18802609
quick-fix:

Dim oCom2 As SqlCommand = New SqlCommand
        oCom2.Connection = objConn
        objConn.Open()
        Dim sSQL As String
        sSQL = "Update dbo.tblAdTxt "
        sSQL = sSQL & "Set adtxt = '" & Replace(ManagedText.Html ,"'","''")  & "'"
        sSQL = sSQL & ", txtTitle = '" & txtTitle.Text & "'"
        sSQL = sSQL & ", AdType = '" & ListAdType.SelectedValue & "'"
        sSQL = sSQL & ", wrdCnt = '" & Request.Params("txtWordCnt") & "'"

        sSQL = sSQL & " where txtAdID=" & Request.QueryString("txtAdID")
        oCom2.CommandText = sSQL
        oCom2.ExecuteNonQuery()
        oCom2.Dispose()



0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 18802638
better, to protect against sql injection:

Dim oCom2 As SqlCommand = New SqlCommand
oCom2.Connection = objConn
objConn.Open()
Dim sSQL As String
sSQL = "Update dbo.tblAdTxt "
sSQL = sSQL & "Set adtxt = @adtxt "
sSQL = sSQL & ", txtTitle = '@title "
sSQL = sSQL & ", AdType = @adtype "
sSQL = sSQL & ", wrdCnt = @cnt "
sSQL = sSQL & " where txtAdID=  @id "
oCom2.CommandText = sSQL

Dim p as SqlParamter
p = new SqlParameter("@adtxt", ManagedText.Html )
oCom2.Parameters.Add(p)
p = new SqlParameter("@title ",  txtTitle.Text )
oCom2.Parameters.Add(p)
p = new SqlParameter("@adtype ",  ListAdType.SelectedValue )
oCom2.Parameters.Add(p)
p = new SqlParameter("@cnt ", Request.Params("txtWordCnt")  )
oCom2.Parameters.Add(p)
p = new SqlParameter("@id ",  Request.QueryString("txtAdID"))
oCom2.Parameters.Add(p)

oCom2.ExecuteNonQuery()

        oCom2.Dispose()
0
 

Author Comment

by:lrbrister
ID: 18803995
angelIII,
  Your first answer works..of course.  But your second...I'm getting a "SqlParamter is not defined" on the part below.  And it's not just the typo...
Using VS2005

Dim p as SqlParamter

SHould I consider the question answered and repost the second one?

Thanks
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 18806064
sorry, typo:
Dim p as SqlParameter
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Asp.Net Session Question 2 44
How to show selected values from drop down and text box on the popup? 25 39
Shared Service Environment 2 51
How does this modal work? 3 29
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question