CODEWITHSUNDEEP
sqldatabaseasp-classicdouble-quotes
Ichlasul Amal Sudarmi
Ichlasul Amal Sudarmi

Reputation: 23

how do i manipulate the query by using double quotes?

i have one database problem, if my sql is like this:

Dim Username
Username = request.form(trim("username"))
Username = Replace(username,"'","''") 

Dim email
email = request.form(trim("email"))
email = Replace(email,"'","''")

Dim question
question = request.form(trim("question"))
question = Replace(question,"'","''")

Dim answer
answer = request.form(trim("answer"))
answer = Replace(answer,"'","''")


Dim date_answered
dag = Day(Now())
maand = Month(Now())
jaar = Year(Now())
uur = Hour(Time)
minuten = Minute(Time)
seconden = Second(Time)
datum= jaar & "-" & maand & "-" & dag
tijd = uur & ":" & minuten& ":" & seconden
date_answered = (datum & " " & tijd)

Dim isActive
isActive = "yes"    
sql="UPDATE faqtbl SET "
      sql=sql & "Name='" & username & "',"
      sql=sql & "email='" & email & "',"
      sql=sql & "question='" & question & "',"
      sql=sql & "answer='" & answer & "',"
      sql=sql & "date_answered='" & date_answered & "',"
      sql=sql & "isActive='" & isActive & "'"
      sql=sql & " WHERE ID='" & lngRecordNo &"';"
      on error resume next

there is no problem at all until if the data that i want to add into the database is using double quotes. please help how do i manipulate the query by using double quotes? thank you.. :)

Upvotes: 0

Views: 303

Answers (1)

Sergey Kalinichenko
Sergey Kalinichenko

Reputation: 726479

There is a problem in your code even if the data does not use quotes: your dynamically generated SQL statements are wide-open to SQL interjection attacks. You need to re-write your query to use query parameters. This will address the problem with the quotes, and make your SQL a lot more robust.

Here is a short example of how to modify your update to use parameters:

Imports System.Data.SqlClient
Public Class Example
    Private Sub Update(ByVal userName As System.String, _
            ByVal email As System.String)
        Dim con As SqlConnection = New SqlConnection( _
            "Data Source=.;Integrated Security=True;<...>")
        con.Open()
        Dim cmdText As String = _
            "UPDATE faqtbl SET Name=@UserName,Email=@email"
        Dim cmd As SqlCommand = New SqlCommand(cmdText, con)
        With cmd.Parameters
            .Add(New SqlParameter("@UserName", userName))
            .Add(New SqlParameter("@email", email))
        End With
        cmd.ExecuteNonQuery()
        con.Close()
        con = Nothing
    End Sub
End Class

Upvotes: 5

Related Questions