How can I insert by asp a string containing '

That's the string

Asp code:

SQL = "insert into tablename (columnA) values ('" & variable & "')"

The problem is when variable contains a ' (single quote), it stops the
string definition and get an error.

Can I do something?

Thanks



--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

"Santo Santis" wrote:
> How can I insert by asp a string containing '
>
> That's the string
>
> Asp code:
>
> SQL = "insert into tablename (columnA) values ('" & variable & "')"
>
> The problem is when variable contains a ' (single quote), it stops the
> string definition and get an error.
>
> Can I do something?
>
> Thanks


In SQL Server, you escape a single quote in a string literal by doubling the
single quote (e.g. 'I can''t dance'). You can do this in your ASP code
with:

SQL = "insert into tablename (columnA) values ('" & Replace(variable, "'",
"''") & "')"

Craig

Santo Santis (santosanto@supereva.it) writes:
> How can I insert by asp a string containing '
>
> That's the string
>
> Asp code:
>
> SQL = "insert into tablename (columnA) values ('" & variable & "')"
>
> The problem is when variable contains a ' (single quote), it stops the
> string definition and get an error.

Be glad that you got a syntax error, and not exposed this on a web
page where an intruder would have used it to inject SQL commands that
you had not intended that web page to execute.

Never build command strings like this, use parameterized commands instead.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp