Solved

Access Form: Error when user enters an apostrophe

Posted on 2014-07-30
5
340 Views
Last Modified: 2014-07-30
I have a piece of code that adds what a user enters into an access text box into a table. This works great until an apostrophe is used.

I have run into this problem before and can't remember the way to fix it. I believe it is just some simple code placed around the item. I tried finding this online, but am not having much luck.

The piece of code that I believe is giving me trouble is the line:
 rst!ActDesc.Value = vardesc

Open in new window


The larger piece of code it is located in is this:

Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Me.txtactDesc.Value

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Me!lstType
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Me!CmbSTO.Value
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
Comment
Question by:Megin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229788
Try replacing single apostrophes with doubles:
vardesc = Replace(Me.txtactDesc.Value, "'", "''")
0
 

Author Comment

by:Megin
ID: 40229821
Do you mean where I have  
txtactDesc = ""

Open in new window

?

I am not sure where that should go in the code.
0
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229921
I was assuming the problem was in your SQL query because apostrophes can cause havoc in SQL. In the image below, you can see how the user's apostrophe causes the string to end as far as SQL is concerned. The 2nd query uses two to "escape" the first apostrophe, basically telling the query analyzer "this is just a text apostrophe, not an end of the string":
Escaping an apostrophe in SQLIf that is the problem, you should sanitize the string as soon as you get it from the users, so I showed how to do that right when you pull the value from for vardesc from the txtactDesc textbox. You can do the same in all places where you get that data, or you can create a function that does other string cleaning and just call that whenever you get string values from the user. This is useful for eliminating SQL injection attacks, though your system may not need that much security. Imagine someone put this string into the txtactDesc box: '; DROP TABLE Activities;--
The sql getting executed now looks like this:
SQL InjectionNo bueno. This code just replaces ' with '' wherever you're pulling data from the user form which should fix your immediate problem:
Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Replace(Me.txtactDesc.VALUE, "'", "''")

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Replace(Me!lstType, "'", "''")
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Replace(Me!CmbSTO.Value, "'", "''")
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
ID: 40230161
Ah, the curse of the Irish (names).
Change your line 10 to be
vardesc = Replace(vbNullString & Me.txtactDesc.Value, Chr(34), vbNullString)

Open in new window

Change your line 12 to be either
strsql = "Select * From Activities Where ActDesc = """ & vardesc & """"

Open in new window

or
strsql = "Select * From Activities Where ActDesc = " & chr(34) & vardesc & chr(34)

Open in new window

0
 

Author Closing Comment

by:Megin
ID: 40230642
Thank you!  The chr(34) thing was what I was trying to remember. The code works great now!
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
What’s inside an Access Desktop Database. Will look at the basic interface, Navigation Pane (Database Container), Tables, Queries, Forms, Report, Macro’s, and VBA code.
In Microsoft Access, when working with VBA, learn some techniques for writing readable and easily maintained code.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question