Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
cez
Starting Member
37 Posts |
 Posted - 2002-07-23 : 08:08:20
|
| Hi !I have a problem. I have a form that gets some text from the user. Based on that text I perform a select on a table. But if the user enters a single quote everything crashes. I'm sure this is a known problem so I'll appreciate your help.Thanks. |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-07-23 : 08:20:11
|
| You can handle it on the web page side or the SQL Server side, it's up to you.For the SQL Server end, take a look at the SQL Team FAQ:http://www.sqlteam.com/FAQ.aspThere's a link there on how to fix it.On the web server side, you can do this:firstname=Replace(request.form("firstname"), "'", "''")And then include the firstname variable in your call to SQL Server. |
 |
|
|
spudhead
Starting Member
34 Posts |
Posted - 2002-07-23 : 08:23:36
|
| This is in JSCRIPT but there's a VBSCRIPT alternative (I just can't think of it):when you get your form results:var myvar=Request.Form("fieldname");you escape it:var myvar=escape(Request.Form("fieldname"));and all those dodgy characters get converted into nice, database-friendly ones that you can drop into your database.Remember to unescape the value you get back out of the database:var myothervar=unescape(recordset.Fields("mycolumnName"));HTH |
|
|
|
|
|
|
single quote from ASP