|
Hi,
Yes u can add quotes just by replacing single quote with double quote. Replacing will add only single quote in database.
Example:
strName=Xyz's
"Insert into table1(Name) Values('" & Replace(strName,"'","''") & "')"
Regards
Ali Raza
|
|
|
|
|
|
While the previous poster did answer your question the result is very poor and potentially dangerous advice.
That way SQL Injection Attacks lay. Please read SQL Injection Attacks and Tips on How To Prevent Them[^] and then change your code to use parameterised queries rather than string substitution.
|
|
|
|
|
That way SQL Injection Attacks lay - While you did answer the OP's question, the better answer would have been to replace string injection with parameterised queries. That way you don't have to worry about apostrophes in the data and you help prevent SQL Injection Attacks.
Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
|
|
|
|
|
yes, you can.
try following format
str="insert into table1 values (" & """" & var1 & """" & ")"
where var1 may contain single & double quotes.
hope this helps
Rupesh Kumar Swami
Software Engineer,
Integrated Solution,
Bikaner (India)
|
|
|
|
|
|
Not another one. Please please please! Will people please learn about SQL Injection Attacks!
If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous.
Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
|
|
|
|
|
Yes, you don't want an angry Scot after you!
__________________
Bob is my homeboy.
|
|
|
|
|
"If it's not Scottish - It's CR****P!"
|
|
|
|
|
Dave Kreskowiak wrote: "If it's not Scottish - It's CR****P!"
Gaun yersel there, Big Yin.
|
|
|
|
|
Colin Angus Mackay wrote: Gaun yersel there, Big Yin.
It took me a minute to figure that one out! Thank you!
|
|
|
|
|
Colin Angus Mackay wrote: Please please please! Will people please learn about SQL Injection Attacks!
No kidding...
|
|
|
|
|
I think that you should read what you are linking to yourself.
If the values are encoded correctly, there is no problem with concatenating string to create an SQL query. It's only if you do it wrong that the code is subject to SQL injections.
Doing it right is not trivial, though, and the methods presented in this thread is for example not at all suitable if you are using an MySQL database. To encode a string for MySQL you would instead replace "\" with "\\", then replace "'" with "\'".
So, using parameterised queries is good advice. It's not, however, the only way to protect the code against SQL injections.
---
single minded; short sighted; long gone;
|
|
|
|
|
Hi,
I don't know if could exist other problems, but I've resolved the problem doubling the apostrophes:
str="INSERT INTO Table1 VALUES(" & Replace(Var1,"'","''") & ")"
In this way, SQL injection by writing apostrophes is not possible (or it is anyway ?)
Peace!
|
|
|
|
|
But you are still injecting values into the SQL command. If you are injecting values in to the SQL command then attacks are possible. That's why it is called a SQL injection attack.
|
|
|
|
|
It isn't that hard to add in code to prevent the injection attacks, if I may add
|
|
|
|
|
How to add an event to Runtime Controls(TextBox) in vb6
Iam using VB6. During Form_Load iam creating textbox dynamically.
I want to add a event for the textbox.
Please tell me...
Thanks & Regards
Kumaran
|
|
|
|
|
I guess you have to take help of API's for that , as VB6 don't have any such provision provided for Events
Thanks & Wishes
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
|
Is it possible to get the current user's windows logon password? I have an application which requires the user to logon, but would like to first try and logon with the same user name and password the user has as their windows logon, thus if they are the same, I will not need to ask the user for the logon name and password again.
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
Yes Of Course, You have to and if you have no proper right you can't proceed further .
Thanks & wishes
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
My question was, although I did not actually say so, is "How do I get the current user's windows logon password, in VB.NEt code?"
Sorry of not stating my requirement clearly.
Regard
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
ok, you mean you want your application to use windows login Authentication and proceed by using that username and password, Great Idea!, I will just try it out and will get back to you.
If I am mistaken please pardon.
Thanks & Regards
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
You can't get the password!!!! How did you ever expect the OS password to be accessible through API??? Microsoft's done some stupid things regarding security, but this is not one of em. The password's hashed anyway. Yeah, you have software that can attempt to crack it. But in a normal PC, a reasonably strong password would take a few days or months to be rebuilt using dictionary cracking, if at all it succeeds.
What you can do is get the current principal of the user and check if that login is within an Windows Role. Ex. if all your users are in the Role named "Administrators", you can get the thread.CurrentPrincipal and check if that Windows principal is in the role named "Administrators". If no, you can prompt for the user name and password again.
Look up the WindowsPrincipal and WindowsIdentity classes for more info.
SG
|
|
|
|
|
i_like_tintin wrote: How did you ever expect the OS password to be accessible through API???
I didn't expect to be able to, but thought I would ask the question, just in case.
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|