Ali El-Boghdady
Reputation: 155
Dcount function using parameters
I want to prevent sql injection in my dcount function which I have here
DCount("[Treasury Name]", "tblTreasuries", "[Treasury Name] = '" & txtTreasuryName & "'")
this txtTreasuryName is a form input I have , of course the problem is when I input ' or " in the form i get an error and i don't know the right way to make this statement parametric
Upvotes: 1
Views: 158
Answers (2)
HansUp
Reputation: 97101
I don't understand why a " in txtTreasuryName would break your DCount() expression , but it's clear that a ' would.
Nevertheless you can avoid problems from either type of quote character by using a reference to the textbox instead of concatenating the textbox's value into your DCount() expression.
DCount("*", "tblTreasuries", "[Treasury Name] = Forms!YourFormName!txtTreasuryName")
Upvotes: 1
Gustav
Reputation: 55806
If you can enter "Name1","Name2", then use IN:
Textbox holds: "Name1","Name2"
Count = DCount("*", "tblTreasuries", "[Treasury Name] In (" & Me!txtInput.Value & ")")
Upvotes: 1