<just_wondering> Why is it that 20 some-odd people posted responses and no one mentioned using Replace() (or the possibility of a SQL injection attack) as well?
</just_wondering> Promoting best practices should be on the mind of all of us. I am even guilty of this in this scenario. I should have mentioned that even in MSAccess you can use a Command object for querydefs or parameterized queries in the VBScript code itself. Not trying to get into a fight here...just wondering... David L. Penton, Microsoft MVP JCPenney Application Specialist / Lead "Mathematics is music for the mind, and Music is Mathematics for the Soul. - J.S. Bach" [EMAIL PROTECTED] Do you have the VBScript Docs or SQL BOL installed? If not, why not? VBScript Docs: http://www.davidpenton.com/vbscript SQL BOL: http://www.davidpenton.com/sqlbol -----Original Message----- From: David L. Penton [mailto:david@;davidpenton.com] ' are missing: ' don't use SELECT * ' write out the column names ' defeat SQL Injection with Replace() or similar function sqlstmt = "SELECT * from [tbluser] WHERE [User] = '" & _ Replace(strUser, "'", "''") & "'" -----Original Message----- From: Jon Barnhardt [mailto:jon_barnhardt@;educ8.org] I'm doing a SIMPLE query against an access database and for some reason it doesn't like me. here is the statement: sqlstmt = "SELECT * from tbluser WHERE User =" & strUser Here is the error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'User =Chris K'. what gives?? I just can't see it today... Thanks again for the help Jon --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
