Solved

Access Form: Error when user enters an apostrophe

Posted on 2014-07-30
5
319 Views
Last Modified: 2014-07-30
I have a piece of code that adds what a user enters into an access text box into a table. This works great until an apostrophe is used.

I have run into this problem before and can't remember the way to fix it. I believe it is just some simple code placed around the item. I tried finding this online, but am not having much luck.

The piece of code that I believe is giving me trouble is the line:
 rst!ActDesc.Value = vardesc

Open in new window


The larger piece of code it is located in is this:

Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Me.txtactDesc.Value

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Me!lstType
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Me!CmbSTO.Value
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
Comment
Question by:Megin
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Russell Fox
Comment Utility
Try replacing single apostrophes with doubles:
vardesc = Replace(Me.txtactDesc.Value, "'", "''")
0
 

Author Comment

by:Megin
Comment Utility
Do you mean where I have  
txtactDesc = ""

Open in new window

?

I am not sure where that should go in the code.
0
 
LVL 13

Expert Comment

by:Russell Fox
Comment Utility
I was assuming the problem was in your SQL query because apostrophes can cause havoc in SQL. In the image below, you can see how the user's apostrophe causes the string to end as far as SQL is concerned. The 2nd query uses two to "escape" the first apostrophe, basically telling the query analyzer "this is just a text apostrophe, not an end of the string":
Escaping an apostrophe in SQLIf that is the problem, you should sanitize the string as soon as you get it from the users, so I showed how to do that right when you pull the value from for vardesc from the txtactDesc textbox. You can do the same in all places where you get that data, or you can create a function that does other string cleaning and just call that whenever you get string values from the user. This is useful for eliminating SQL injection attacks, though your system may not need that much security. Imagine someone put this string into the txtactDesc box: '; DROP TABLE Activities;--
The sql getting executed now looks like this:
SQL InjectionNo bueno. This code just replaces ' with '' wherever you're pulling data from the user form which should fix your immediate problem:
Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Replace(Me.txtactDesc.VALUE, "'", "''")

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Replace(Me!lstType, "'", "''")
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Replace(Me!CmbSTO.Value, "'", "''")
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
Comment Utility
Ah, the curse of the Irish (names).
Change your line 10 to be
vardesc = Replace(vbNullString & Me.txtactDesc.Value, Chr(34), vbNullString)

Open in new window

Change your line 12 to be either
strsql = "Select * From Activities Where ActDesc = """ & vardesc & """"

Open in new window

or
strsql = "Select * From Activities Where ActDesc = " & chr(34) & vardesc & chr(34)

Open in new window

0
 

Author Closing Comment

by:Megin
Comment Utility
Thank you!  The chr(34) thing was what I was trying to remember. The code works great now!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The first two articles in this short series — Using a Criteria Form to Filter Records (http://www.experts-exchange.com/A_6069.html) and Building a Custom Filter (http://www.experts-exchange.com/A_6070.html) — discuss in some detail how a form can be…
Introduction When developing Access applications, often we need to know whether an object exists.  This article presents a quick and reliable routine to determine if an object exists without that object being opened. If you wanted to inspect/ite…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now