asp form works but when user inputs a ' in the field it doesn't write to mysql [Archive]

PDA

Click to See Complete Forum and Search --> : asp form works but when user inputs a ' in the field it doesn't write to mysql

jazzyj99

04-02-2005, 09:38 PM

I'm hoping someone has a reason why the following code works correctly if someone inputs any characters other then an ' or should I say an apostrophe in my form. I'm sure it has to do with how I coded my mySQL="INSERT string. Could someone or anyone please help???

tmpFirst = Request.Form("first")
tmpLast = Request.Form("last")
tmpCompany = Request.Form("company")

mySQL="INSERT INTO [testdb].[contactus]([first], [last], [company]) VALUES(' " & tmpFirst &" ', ' " & tmpLast &" ', '" & tmpCompany &" ') "

Thanks,

Jeff

P.S. I'm using ASP and MYSQL

phpnovice

04-02-2005, 10:52 PM

That is because the single quote interferes with the format of the SQL statement. There is nothing technically wrong with how you've formatted your SQL statement. To fix the problem, you need to "escape" the single quote. I'm 100% certain how to do this in PHP -- but I am not so certain about ASP. (I normally use native ADO methods for inserts/updates -- not SQL.) You can try the following before you build the SQL statement:

last = Replace(last, "'", "''")

buntine

04-02-2005, 11:04 PM

Yer, that will work fine. And don't worry, it will not store '' in the database.

jazzyj99

04-02-2005, 11:38 PM

Wow, works like a charm. You guys are a LIFESAVER:)

Cheers,

Jeff

phpnovice

04-03-2005, 12:08 PM

Cheers.

...and, thanks for the verification, buntine. ;)