I guess because some of us are not familiar with the application of replace to accomplish this.
<further_inquiry> Do you know where we could get some samples or documentation on this practice. I think we all want more efficient code. </further_inquiry> Pete Lundrigan Media Resources Center Academic Web Support 316.978.7759 http://www.mrc.twsu.edu/ [EMAIL PROTECTED] -----Original Message----- From: David L. Penton [mailto:david@;davidpenton.com] Sent: Tuesday, November 05, 2002 3:10 PM To: ActiveServerPages Subject: RE: SQL query <just_wondering> Why is it that 20 some-odd people posted responses and no one mentioned using Replace() (or the possibility of a SQL injection attack) as well? </just_wondering> Promoting best practices should be on the mind of all of us. I am even guilty of this in this scenario. I should have mentioned that even in MSAccess you can use a Command object for querydefs or parameterized queries in the VBScript code itself. Not trying to get into a fight here...just wondering... David L. Penton, Microsoft MVP JCPenney Application Specialist / Lead "Mathematics is music for the mind, and Music is Mathematics for the Soul. - J.S. Bach" [EMAIL PROTECTED] Do you have the VBScript Docs or SQL BOL installed? If not, why not? VBScript Docs: http://www.davidpenton.com/vbscript SQL BOL: http://www.davidpenton.com/sqlbol -----Original Message----- From: David L. Penton [mailto:david@;davidpenton.com] ' are missing: ' don't use SELECT * ' write out the column names ' defeat SQL Injection with Replace() or similar function sqlstmt = "SELECT * from [tbluser] WHERE [User] = '" & _ Replace(strUser, "'", "''") & "'" -----Original Message----- From: Jon Barnhardt [mailto:jon_barnhardt@;educ8.org] I'm doing a SIMPLE query against an access database and for some reason it doesn't like me. here is the statement: sqlstmt = "SELECT * from tbluser WHERE User =" & strUser Here is the error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'User =Chris K'. what gives?? I just can't see it today... Thanks again for the help Jon --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
