Re: Single quote

From: Al Reid (areidjr_at_reidDASHhome.com)
Date: 06/16/04 

Date: Wed, 16 Jun 2004 18:24:17 -0400

I can't say I disagree at all with your statement. We all know of the
performance and SQL injection issues. I personally, use SP's for everything
that I put into production. However, sometimes one needs to do something
quick and dirty for a prototype or to test a concept. For those cases it is
useful to know your way around the "single quote" problem. 

-- 
Al Reid
"It ain't what you don't know that gets you into trouble. It's what you know
for sure that just ain't so."  --- Mark Twain
"DNagel" <NOTGrandNagel@hotmail.com> wrote in message
news:%23NR5l9%23UEHA.2992@TK2MSFTNGP12.phx.gbl...
> Shahri wrote:
>
> > Hi all,
> > How to accomplish this from VB6 against Access database:
> > insert into table1(a, b, c)
> > values('Name','Co'de','Desc')
> > value for column b has a single quote and causing problem.
> > Thanks in advance,
> > Shahri
> >
>
> The other two replies cirle around the issue of single quotes
> by asking you to modify your data from code...  the end result
> is as desired, but none-the-less it requires that you interact
> with the data in a fashion that can possibly be a source of an
> error... we all make errors...  I certainly do <g>
>
> I would recommed looking into using Parameterized SQL statements.
> They offer the ability to push anything you want into the
> database without modifying the original data, as well as offer
> performance benefits such as the ability to retain your query
> in the cache and not have to reparse it each time it's run.
>
> On larger systems this yields huge resource savings and speeds
> up ALL the applications that hit the database.
>
> On smaller systems it may not show the performance benefits, but
> it will allow you to pass data 'unhandled' and it's good practice
> for when you hit the big-time...
>
> Ask any dba about them to see what they think of the idea...
>
> D.

Relevant Pages

  • Re: submitted data not updated promptly with ms access
    ... therefore, before writing to the database, i ... using sql injection ... Using an expensive recordset to run a query that does not retrieve ... is what I suspect you want to do, although I don't really know why you wish ...
    (microsoft.public.inetserver.asp.db)
  • Re: Executing PHP files on remote web server
    ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
    (comp.lang.php)
  • RE: SQL injection from within a table - is it possible?
    ... I would assume that all parsers would parse the /entire/ sql query ... Suppose your username was "bob", ... Going back to your initial question about a "stored" SQL Injection ... Is it possible to store an SQL injection string into a MSSQL database ...
    (Pen-Test)
  • Re: Executing PHP files on remote web server
    ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
    (comp.lang.php)
  • Re: Executing PHP files on remote web server
    ... because you're not familiar with things like SQL injection and other ... may be different between programming languages and database engines, ... Unix administration has NOTHING to do with any of this. ... the necessary experience for programming. ...
    (comp.lang.php)