>cSqlInsert = "INSERT INTO EMAILSEND (FROM_NAME, FROM_EMAIL, TO_EMAIL) values " + ;
>"('" + lcSendName + "', '" + lcSenderEmail + "', '" + lcRecipientEmail + "' )"
Whoa dude! Don't do that!
DON'T EVER, EVER, EVER write a SQL statement like that, as it opens you up to SQL Injection. ALWAYS use named parameters for this sort of thing.
And in your case you already have the variables anyway. Not only is it easier to write it's secure with no possibility of SQL Injection for the variables passed.
cSqlInsert = "INSERT INTO EMAILSEND (FROM_NAME, FROM_EMAIL, TO_EMAIL) values " + ;
"(?lcSendName,?lcSenderEmail,?lcRecipientEmail)"
You just have to make sure that the variables you use are in scope when the actual SQL statement executes.
I thought we were past this 15+ years ago. Hmmm...
+++ Rick ---
>Hi,
>
>How do you suggest to deal with a possible apostrophe in an email address (name part of the email)?
>The code creates a SQL insert that will be executed on the server. Simplified this SQL insert looks like this:
>
>cSqlInsert = "INSERT INTO EMAILSEND (FROM_NAME, FROM_EMAIL, TO_EMAIL) values " + ;
>"('" + lcSendName + "', '" + lcSenderEmail + "', '" + lcRecipientEmail + "' )"
>
>
>But if the variable storing the recipient email has an apostrophe (e.g. O'Neil), the program bombs with run-time error. How do I change the lcRecipientEmail above so that it would work with any email address?
>
>TIA
>
>UPDATE. I think I just need to apply the following:
>
>
>lcRecipientEmail = "'" + STRTRAN(lcRecipientEmail,['],['']) + "'"
>
>
>Is this correct?