Quotes in SQL-strings? - Level Extreme

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Quotes in SQL-strings?

Message

From

22/05/2007 09:11:50

Olaf Doschke
Setmics
Hamburg, Germany

22/05/2007 06:52:19

Kjell Svedlund
Karolinska University Hospital
Stockholm, Sweden

General information

Forum:

Visual FoxPro

Category:

Coding, syntax & commands

Title:

Re: Quotes in SQL-strings?

Environment versions

Visual FoxPro:

VFP 9 SP1

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Miscellaneous

Thread ID:

01227570

Message ID:

01227602

Views:

>Hallo.
>Hope I can explain my problem.
>When I'm sending a command to the SQL-server, I make a string with single or double quotes (chr(39) or chr(34)).
>But if the user uses a quote in his searchcondition, the string will be corrupt. How do I deal with quotes in the searchconditions to avoid those problem.
>
>Example:
>Lets say that the user is looking for a monitor 14".
>

>=SQLEXEC(nHandle,"select *  from sqltable where field='monitor 14"' ","Result")
>

>This will not work as you see.
>
>/Kjell

"...."..." does not work as a string literal, but you can have ",' and [] in a string, no problem. Delimiters are just needed for source code/string literals, but a string var does not contain the outer delimiters, so anything can be inside a string var, in vfp strings even chr(0), which would terminate a C string.

So input of 14" monitor is no problem, if you create that sql string with:

lcSQL = "select *  from sqltable where field='"+userinput+"'"

The problem with that would rather be userinput including a single quote, like O'Neil, SQL Server would not be able to parse that SQL. On the VFP side every input would be fine.

So if you create the sql string, you just need to make sure the userinput does not contain singel quates. There is a way to include these and search for 1'20" monitors: double the single quote, like Naomi said. Then there should be no carriage return and line feed in the string.

So a way to process the userinput would be:

userinput = alltrim(thisform.inputtextbox.value)
userinput = strtran(userinput,"'","''")
userinput = chrtran(userinput,chr(13)+chr(10),space(0))

You could still run into problems with other special chars a user might input. By pressing ALT+3digits you can input quite anything even into a textbox, where you would not expect a carriage return.

So even more failsafe would be a parameterized sql, which means a placeholder in a constant sql statement string and additional automatic passing of parameters as their type, no conversion problems, no parsing problems:

userinput = alltrim(thisform.inputtextbox.value)
* no other processing needed!
SQLEXEC(nHandle,"select * from sqltable where field=?userinput","Result")

This compares to Borislav's even better example. SQLEXEC then passes that sql string and the variable userinput seperately and SQL server would need to parse the variable name only, then look up the string from that passed var.

Bye, Olaf.

Map

View

Click here to load this message in the networking platform