Access Form: Error when user enters an apostrophe

I have a piece of code that adds what a user enters into an access text box into a table. This works great until an apostrophe is used.

I have run into this problem before and can't remember the way to fix it. I believe it is just some simple code placed around the item. I tried finding this online, but am not having much luck.

The piece of code that I believe is giving me trouble is the line:
 rst!ActDesc.Value = vardesc

Open in new window


The larger piece of code it is located in is this:

Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Me.txtactDesc.Value

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Me!lstType
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Me!CmbSTO.Value
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

MeginAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russell FoxDatabase DeveloperCommented:
Try replacing single apostrophes with doubles:
vardesc = Replace(Me.txtactDesc.Value, "'", "''")
0
MeginAuthor Commented:
Do you mean where I have  
txtactDesc = ""

Open in new window

?

I am not sure where that should go in the code.
0
Russell FoxDatabase DeveloperCommented:
I was assuming the problem was in your SQL query because apostrophes can cause havoc in SQL. In the image below, you can see how the user's apostrophe causes the string to end as far as SQL is concerned. The 2nd query uses two to "escape" the first apostrophe, basically telling the query analyzer "this is just a text apostrophe, not an end of the string":
Escaping an apostrophe in SQLIf that is the problem, you should sanitize the string as soon as you get it from the users, so I showed how to do that right when you pull the value from for vardesc from the txtactDesc textbox. You can do the same in all places where you get that data, or you can create a function that does other string cleaning and just call that whenever you get string values from the user. This is useful for eliminating SQL injection attacks, though your system may not need that much security. Imagine someone put this string into the txtactDesc box: '; DROP TABLE Activities;--
The sql getting executed now looks like this:
SQL InjectionNo bueno. This code just replaces ' with '' wherever you're pulling data from the user form which should fix your immediate problem:
Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Replace(Me.txtactDesc.VALUE, "'", "''")

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Replace(Me!lstType, "'", "''")
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Replace(Me!CmbSTO.Value, "'", "''")
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
aikimarkCommented:
Ah, the curse of the Irish (names).
Change your line 10 to be
vardesc = Replace(vbNullString & Me.txtactDesc.Value, Chr(34), vbNullString)

Open in new window

Change your line 12 to be either
strsql = "Select * From Activities Where ActDesc = """ & vardesc & """"

Open in new window

or
strsql = "Select * From Activities Where ActDesc = " & chr(34) & vardesc & chr(34)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MeginAuthor Commented:
Thank you!  The chr(34) thing was what I was trying to remember. The code works great now!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Access

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.