David, <my 2 cents> You're right that we _should_ be promoting best practices. OTOH, I just worry that if we assume that the person posing the question doesn't know those practices, that we'd overwhelm them with an answer chock full of best-practices. Perhaps it might be best, for those inclined to add in that little bit (a lot actually) of their wisdom with best-practices AFTER we give the simple answer... I'd hate to see people stop using the list because we give them a page-long answer when two sentences would do. </my 2 cents>
-- Bill >-----Original Message----- >From: David L. Penton [mailto:david@;davidpenton.com] >Sent: Tuesday, November 05, 2002 3:10 PM >To: ActiveServerPages >Subject: RE: SQL query > ><just_wondering> > >Why is it that 20 some-odd people posted responses and no one mentioned >using Replace() (or the possibility of a SQL injection attack) as well? > ></just_wondering> > >Promoting best practices should be on the mind of all of us. I am even >guilty of this in this scenario. I should have mentioned that even in >MSAccess you can use a Command object for querydefs or parameterized >queries >in the VBScript code itself. > >Not trying to get into a fight here...just wondering... > >David L. Penton, Microsoft MVP >JCPenney Application Specialist / Lead >"Mathematics is music for the mind, and Music is Mathematics for the >Soul. - J.S. Bach" >[EMAIL PROTECTED] > >Do you have the VBScript Docs or SQL BOL installed? If not, why not? >VBScript Docs: http://www.davidpenton.com/vbscript >SQL BOL: http://www.davidpenton.com/sqlbol > > >-----Original Message----- >From: David L. Penton [mailto:david@;davidpenton.com] > >' are missing: > >' don't use SELECT * >' write out the column names >' defeat SQL Injection with Replace() or similar function >sqlstmt = "SELECT * from [tbluser] WHERE [User] = '" & _ > Replace(strUser, "'", "''") & "'" > > >-----Original Message----- >From: Jon Barnhardt [mailto:jon_barnhardt@;educ8.org] > >I'm doing a SIMPLE query against an access database and for some reason >it >doesn't like me. > >here is the statement: >sqlstmt = "SELECT * from tbluser WHERE User =" & strUser >Here is the error: >Microsoft OLE DB Provider for ODBC Drivers error '80040e14' >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing >operator) in >query expression 'User =Chris K'. > >what gives?? I just can't see it today... > >Thanks again for the help >Jon > > >--- >You are currently subscribed to activeserverpages as: >[EMAIL PROTECTED] >To unsubscribe send a blank email to >%%email.unsub%% > >--- >You are currently subscribed to activeserverpages as: >[EMAIL PROTECTED] >To unsubscribe send a blank email to >%%email.unsub%% > --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
