You should compile your SQL queries with the ADO Command object to avoid problems that can arise from concatenating strings and variables to form SQL queries. Using Command object’s Parameter collection can help you avoid the problems related to defining certain types of string, date, and time variables. SQL query values containing apostrophes (‘) can cause a query to fail.
strSQL = “INSERT INTO person (Name) VALUES (‘MyNameWith’Quote’)”
Here the name MyNameWith’Quote contains an apostrophe which conflicts with the apostrophes used to denote data in the SQL VALUES keyword. However, by binding the query value as a Command object parameter, you can avoid this type of problem. The code segment showing the usage assumes that cm is an already instantiated Command object which has been already set to the active connection that has been already opened.
strSQL = “INSERT INTO person (Name) VALUES (?)”
cm.CommandText. = strSQL
cm.Parameters.Append cm.CreateParameter(“Name”,200, ,255 )
cm(“Name”) = “MyNameWith’Quote”