Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
DaveA
Starting Member
6 Posts |
 Posted - 2006-01-27 : 10:16:56
|
| I am having problems inserting text which has the " character. In some cases, I have achieved success by rearranging the SQL statement but was not convinced that was a complete solution.I now have a statement which fails when " appears in the text and changing the order of columns in the update statement has failed.Any ideas?DaveSQL Server 2000 + Delphi 2005 + ADO controls. |
|
|
Norwich
Posting Yak Master
158 Posts |
Posted - 2006-01-27 : 10:51:31
|
| Please post your code and the errorNThe revolution won't be televised! |
 |
|
|
Billkamm
Posting Yak Master
124 Posts |
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-01-27 : 16:30:16
|
| This is one of the many reasons why you should use parameters and not build SQL strings dynamically and execute them. |
|
|
|
DaveA
Starting Member
6 Posts |
Posted - 2006-01-28 : 06:08:10
|
| On further investigation, the SQL statement I am constructing dynamically is accepted by SQL Server if submitted using Query Analyzer. This suggests that the problem lies in the Delphi ADO components.Many thanks for the replies. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-01-28 : 07:00:12
|
| If you do not have this cracked in your application's function library I would suggest that you are probably not immune to injection attacks, so you might want to take that into account whilst you are working on a solution to this specific problem.We pass all dynamic sql strings through a quote-doubler function, which also does some other duties. However, we more commonly use parameterized Sproc calls in the way that jsmith8858 saidKristen |
|
|
|
|
|
|
Problem with " character