?
Solved

Access Form: Error when user enters an apostrophe

Posted on 2014-07-30
5
Medium Priority
?
344 Views
Last Modified: 2014-07-30
I have a piece of code that adds what a user enters into an access text box into a table. This works great until an apostrophe is used.

I have run into this problem before and can't remember the way to fix it. I believe it is just some simple code placed around the item. I tried finding this online, but am not having much luck.

The piece of code that I believe is giving me trouble is the line:
 rst!ActDesc.Value = vardesc

Open in new window


The larger piece of code it is located in is this:

Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Me.txtactDesc.Value

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Me!lstType
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Me!CmbSTO.Value
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
Comment
Question by:Megin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229788
Try replacing single apostrophes with doubles:
vardesc = Replace(Me.txtactDesc.Value, "'", "''")
0
 

Author Comment

by:Megin
ID: 40229821
Do you mean where I have  
txtactDesc = ""

Open in new window

?

I am not sure where that should go in the code.
0
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229921
I was assuming the problem was in your SQL query because apostrophes can cause havoc in SQL. In the image below, you can see how the user's apostrophe causes the string to end as far as SQL is concerned. The 2nd query uses two to "escape" the first apostrophe, basically telling the query analyzer "this is just a text apostrophe, not an end of the string":
Escaping an apostrophe in SQLIf that is the problem, you should sanitize the string as soon as you get it from the users, so I showed how to do that right when you pull the value from for vardesc from the txtactDesc textbox. You can do the same in all places where you get that data, or you can create a function that does other string cleaning and just call that whenever you get string values from the user. This is useful for eliminating SQL injection attacks, though your system may not need that much security. Imagine someone put this string into the txtactDesc box: '; DROP TABLE Activities;--
The sql getting executed now looks like this:
SQL InjectionNo bueno. This code just replaces ' with '' wherever you're pulling data from the user form which should fix your immediate problem:
Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Replace(Me.txtactDesc.VALUE, "'", "''")

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Replace(Me!lstType, "'", "''")
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Replace(Me!CmbSTO.Value, "'", "''")
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
 
LVL 46

Accepted Solution

by:
aikimark earned 2000 total points
ID: 40230161
Ah, the curse of the Irish (names).
Change your line 10 to be
vardesc = Replace(vbNullString & Me.txtactDesc.Value, Chr(34), vbNullString)

Open in new window

Change your line 12 to be either
strsql = "Select * From Activities Where ActDesc = """ & vardesc & """"

Open in new window

or
strsql = "Select * From Activities Where ActDesc = " & chr(34) & vardesc & chr(34)

Open in new window

0
 

Author Closing Comment

by:Megin
ID: 40230642
Thank you!  The chr(34) thing was what I was trying to remember. The code works great now!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Access custom database properties are useful for storing miscellaneous bits of information in a format that persists through database closing and reopening.  This article shows how to create and use them.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In Microsoft Access, learn how to use Dlookup and other domain aggregate functions and one method of specifying a string value within a string. Specify the first argument, which is the expression to be returned: Specify the second argument, which …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question