SQL Insert fields with a ' in them

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

SQL Insert fields with a ' in them

Message

From

02/06/2015 09:22:51

Mike Yearwood
Toronto, Ontario, Canada

02/06/2015 05:36:41

Mark Hardiman
Kernel Software
Ireland, Ireland

General information

Forum:

Visual FoxPro

Category:

Coding, syntax & commands

Title:

Re: SQL Insert fields with a ' in them

Environment versions

Visual FoxPro:

VFP 9 SP2

OS:

Windows Server 2012

Network:

Windows 2008 Server

Database:

MS SQL Server

Application:

Desktop

Miscellaneous

Thread ID:

01620334

Message ID:

01620489

Views:

>>>I'm writing a routine to copy date from a DBF to a SQL server database. Everything works fine except for text and memo fields where there is a ' as this is failing on the insert command. I'm using SQL insert and then a variable list where each variable is a field from the DBF table. Had a look online but my searches are just returning inserting from csv files and not the info I need.
>>>~M
>>
>>Can you share some of your code?
>>
>>Can you use parameters - in this case it would not be an issue. Otherwise you'll have to double the single quote.
>Here is the parameter and the strtran I use and then the insert statement in full. If I don't use the strtran then the insert fails for those records with a ' fails.
>

>...
>mproperty15 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>...
>LcInsert = "Insert into NominalTransaction(NominalBatchNum, NominalStage, NominalJournalNum, NominalTranType, NominalDate," + ;
>			"NominalPeriod, NominalPeriodFirst, NominalPeriodLast, NominalRelease, NominalCostCentreCode, " + ;
>			"NominalCode, NominalDaybook, NominalJournalRef, NominalValue, NominalJournalDesc, " + ;
>			"NominalDesc, NominalPeriodInput, NominalMode, NominalMemo01, NominalLink, " + ;
>			"InsertUser, UpdateUser" + ;
>			")" + ;
>		" VALUES (" + mProperty01 + "," + mProperty02 + "," + mProperty03 + ",'" + mProperty04 + "','" + mProperty05 + "'," + ;
>			mProperty06 + "," + mProperty07 + "," + mProperty08 + "," + mProperty09 + ",'" + mProperty10 + "','" + ;
>			mProperty11 + "','" + mProperty12 + "','" + mProperty13 + "'," + mProperty14 + ",'" + mProperty15 + "','" + ;
>			mProperty16 + "'," + mProperty17 + "," + mProperty18 + ",'" + mProperty19 + "'," + mProperty20 + ",'" + ;
>			mnomuser + "','" + mnomuser + "'" + ;
>			")"
>

Hi Mark

*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
mproperty01 = ntr_desc
lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"

Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.

Map

View

Click here to load this message in the networking platform