I'm sure this has been discussed, but I can't find a
specific reference. I have a user nt login with a
single quote in like o'reilly. I capture the nt login
using the cgiparam. Works great. Then I want to look
up the person in our employee database, currently in ms
access, migrating to SQL server, so the sql in the
search action correctly escapes the single quote with
another single quote. No error is produced, but the
search fails to find the person. I did a workaround in
which I replace the single quote with a % symbol (sql
wildcard).
instead of user_name like 'o''reilly%'
it is user_name like 'o%reilly%'
This works, but I wonder if there isn't another way that
I am missing!
Of course you may also ask why do we allow a user to
have a single quote in their nt login, but that is
another story!
Thanks,
John Newsom
> Steve Strickland,
>
> Steve Smith is absolutely right. In the event that a user left almost
> every field blank, and you had changed every include to "false," and
> you didn't check for valid and sensible data before the insert or update,
> then you could conceivably overwrite most of the rows in your table
> with the values in this update command. But it looks to me like you
> inserted a row successfully, and don't know what autonumbered
> primary key value was assigned, so you are trying to update the row
> by looking for exact matches of virtually everything that was just
> inserted.
>
> My approach, (that I think Steve Smith would approve of, too), would
> be to do a search (not update) with your same where clause criteria,
> and make sure there is one and only one row that matches, and
> thereby retrieve the real primary key and store it in a variable. Then
> use that in your update command.
>
> You can also use Witango's check box to prevent nulls in the fields
> you are using to identify the row, so that an attempt to update with a
> bunch of blank fields will generate a warning screen.
>
> Bill
>
> On Sun, 25 Aug 2002 22:34:30 -0400, Steve Smith wrote:
>
> >WARNING!!!
> >
> >This is NOT something that you should do with an update action.
> When you do
> >that, and there are no values filled into a field, you could potentially
> >UPDATE ALL of the records.
> >
> >Bill's advice is true for a search action, but not for an UPDATE or a
> DELETE
> >action.
>
>
>
>
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
> with unsubscribe witango-talk in the message body
________________________________________________________________________
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
