Solved

Access Form: Error when user enters an apostrophe

Posted on 2014-07-30
5
334 Views
Last Modified: 2014-07-30
I have a piece of code that adds what a user enters into an access text box into a table. This works great until an apostrophe is used.

I have run into this problem before and can't remember the way to fix it. I believe it is just some simple code placed around the item. I tried finding this online, but am not having much luck.

The piece of code that I believe is giving me trouble is the line:
 rst!ActDesc.Value = vardesc

Open in new window


The larger piece of code it is located in is this:

Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Me.txtactDesc.Value

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Me!lstType
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Me!CmbSTO.Value
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
Comment
Question by:Megin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229788
Try replacing single apostrophes with doubles:
vardesc = Replace(Me.txtactDesc.Value, "'", "''")
0
 

Author Comment

by:Megin
ID: 40229821
Do you mean where I have  
txtactDesc = ""

Open in new window

?

I am not sure where that should go in the code.
0
 
LVL 13

Expert Comment

by:Russell Fox
ID: 40229921
I was assuming the problem was in your SQL query because apostrophes can cause havoc in SQL. In the image below, you can see how the user's apostrophe causes the string to end as far as SQL is concerned. The 2nd query uses two to "escape" the first apostrophe, basically telling the query analyzer "this is just a text apostrophe, not an end of the string":
Escaping an apostrophe in SQLIf that is the problem, you should sanitize the string as soon as you get it from the users, so I showed how to do that right when you pull the value from for vardesc from the txtactDesc textbox. You can do the same in all places where you get that data, or you can create a function that does other string cleaning and just call that whenever you get string values from the user. This is useful for eliminating SQL injection attacks, though your system may not need that much security. Imagine someone put this string into the txtactDesc box: '; DROP TABLE Activities;--
The sql getting executed now looks like this:
SQL InjectionNo bueno. This code just replaces ' with '' wherever you're pulling data from the user form which should fix your immediate problem:
Private Sub btnAddNew_Click()

Dim db As DAO.Database
Dim rst As DAO.Recordset
Dim strsql As String
Dim vardesc As Variant
Dim lngID As Long


vardesc = Replace(Me.txtactDesc.VALUE, "'", "''")

strsql = "Select * From Activities Where ActDesc = '" & vardesc & "'"


Set db = CurrentDb
Set rst = db.OpenRecordset(strsql)

If rst.RecordCount = 0 Then
    rst.AddNew

        rst!TypeId.Value = Replace(Me!lstType, "'", "''")
        rst!ActDesc.Value = vardesc
        rst!STOid.Value = Replace(Me!CmbSTO.Value, "'", "''")
    rst.Update
    rst.Bookmark = rst.LastModified
    
End If

lngID = rst!Actid.Value

strsql = "Select Top 1 * from Act_SubTo_Date"

Set rst = db.OpenRecordset(strsql)

rst.AddNew
    rst!Actid.Value = lngID
    rst!ActDate.Value = Nz(Me!ActDate.Value, Date)

rst.Update

txtactDesc = ""

Refresh

rst.Close

Set rst = Nothing
Set db = Nothing

End Sub

Open in new window

0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
ID: 40230161
Ah, the curse of the Irish (names).
Change your line 10 to be
vardesc = Replace(vbNullString & Me.txtactDesc.Value, Chr(34), vbNullString)

Open in new window

Change your line 12 to be either
strsql = "Select * From Activities Where ActDesc = """ & vardesc & """"

Open in new window

or
strsql = "Select * From Activities Where ActDesc = " & chr(34) & vardesc & chr(34)

Open in new window

0
 

Author Closing Comment

by:Megin
ID: 40230642
Thank you!  The chr(34) thing was what I was trying to remember. The code works great now!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A simple tool to export all objects of two Access files as text and compare it with Meld, a free diff tool.
Describes a method of obtaining an object variable to an already running instance of Microsoft Access so that it can be controlled via automation.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
In Microsoft Access, learn how to use Dlookup and other domain aggregate functions and one method of specifying a string value within a string. Specify the first argument, which is the expression to be returned: Specify the second argument, which …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question