Re: Single quote

From: Saga (antiSpam_at_somewhere.com)
Date: 06/17/04 

Date: Thu, 17 Jun 2004 09:48:13 -0500

When I applied for employment at an IT consulting firm, I had to fill
out the usual job application; however, in this case they had a wizard
driven program where I filled it out. When I hit the "Finish" button
to save everything it gave me the familiar ODBC -xxxxxxx error
telling me that there was a bad quite somewhere. had to go back
to each dialog to locate the field where I used the quote and remove
it, which I did. Worked fine after that.

While I agree that parameterized queries and SPs are a better option,
it is indispensable that developers know how to handle the quote issue,
as dynamic queries are still used abundantly.

BTW: I wasn't hired, but if I had been, the first order of business would
have been to fix that app, as it certainly made them look bad and that
is an understatement!.

Saga

"Al Reid" <areidjr@reidDASHhome.com> wrote in message
news:%23cAq3D$UEHA.2520@TK2MSFTNGP12.phx.gbl...
> I can't say I disagree at all with your statement. We all know of the
> performance and SQL injection issues. I personally, use SP's for
everything
> that I put into production. However, sometimes one needs to do something
> quick and dirty for a prototype or to test a concept. For those cases it
is
> useful to know your way around the "single quote" problem.
> --
>
> Al Reid
>
> "It ain't what you don't know that gets you into trouble. It's what you
know
> for sure that just ain't so." --- Mark Twain
>
>
> "DNagel" <NOTGrandNagel@hotmail.com> wrote in message
> news:%23NR5l9%23UEHA.2992@TK2MSFTNGP12.phx.gbl...
> > Shahri wrote:
> >
> > > Hi all,
> > > How to accomplish this from VB6 against Access database:
> > > insert into table1(a, b, c)
> > > values('Name','Co'de','Desc')
> > > value for column b has a single quote and causing problem.
> > > Thanks in advance,
> > > Shahri
> > >
> >
> > The other two replies cirle around the issue of single quotes
> > by asking you to modify your data from code... the end result
> > is as desired, but none-the-less it requires that you interact
> > with the data in a fashion that can possibly be a source of an
> > error... we all make errors... I certainly do <g>
> >
> > I would recommed looking into using Parameterized SQL statements.
> > They offer the ability to push anything you want into the
> > database without modifying the original data, as well as offer
> > performance benefits such as the ability to retain your query
> > in the cache and not have to reparse it each time it's run.
> >
> > On larger systems this yields huge resource savings and speeds
> > up ALL the applications that hit the database.
> >
> > On smaller systems it may not show the performance benefits, but
> > it will allow you to pass data 'unhandled' and it's good practice
> > for when you hit the big-time...
> >
> > Ask any dba about them to see what they think of the idea...
> >
> > D.
>
>