[V4MD] Escaping (allowing) single quote char
Ruslan Zasukhin
sunshine at public.kherson.ua
Mon Sep 22 12:21:22 CDT 2008
On 9/22/08 8:12 PM, "Irv Kalb" <Irv at furrypants.com> wrote:
> I'm trying to do a search in a table where the value of the field I'm
> trying to match has a single quote character in it. I'm doing this
> in a routine and passing in a string to search for. The entries in
> this field are often multiple words. I've found that for multiple
> words, you need to surround the match word in single quotes. The
> code is like this:
>
> cursor = poDB.SqlQuery("SELECT * FROM WordMapping WHERE WordFound =
> " & "'" & theWordIn & "'")
>
> This works fine on multiple words (e.g, 'one two three'). But it
> fails if one of them as a single quote in it - the particular three
> word phrase it's getting caught on is: 'of humanity's past'.
>
> Error:462848
>
> This seems perfectly reasonable as I'm using single quotes as the
> delimiter. But how can I specify that I want to seach for a match
> where fields will have BOTH embedded spaces and one or more single
> quotes?
>
> I see that there is a function called EscapeString, but I am unclear
> as to how I would use it in this case.
Easy.
Rule is simple:
IF you build query string as CONCAT of something
with strings **from user input** you should use
EscapeString() on that strings
cursor = poDB.SqlQuery(
"SELECT * FROM WordMapping WHERE WordFound =
" & "'" &
EscapeString(theWordIn) & "'")
--
Best regards,
Ruslan Zasukhin
VP Engineering and New Technology
Paradigma Software, Inc
Valentina - Joining Worlds of Information
http://www.paradigmasoft.com
[I feel the need: the need for speed]
More information about the Valentina
mailing list