Single Quote Marks in a SQL Query

Question:
I have built several pages that use VBScript to pull information from a Microsoft Access database. My problem is that if a user tries to use a single quote ‘ in the form supplied, SQL blows up because of an unterminated single quote mark in the query string. Is there a way to encapsulate the single quote?

Answer:
Single quotes are kind of a pain when trying to mix SQL with ASP. In general, the best way to set up your queries is to make sure that the string that you retrieve doesn’t contain a single quote (yeah, that does sound rather obvious, but in this case it disguises a layer of complexity). One way I’ve found around it is to create a SAFESTRING function. Before passing an expression up to the server through ADO or similar mechanism, I will use the VBScript Replace function to catch both single and double quotes, and replace them with placeholders:

 function MakeSafeString(expr)   expr=replace(expr,chr(34),"#DBLQUOTE#")   expr=replace(expr,"'","#SNGQUOTE#")   SaveString=exprend function

This will turn the expression:

This isn't the "only" solution

into

This is#SNGQUOTE#t the #DBLQUOTEonly#DBLQUOTE# solution

The ConvertSafeString() function takes a safe string pulled from a database query and converts it back into its previous form:

function ConvertSafeString(safeExpr)    expr=Replace(safeExpr,"#SNGQUOTE#","'")    expr=Replace(expr,"#DBLQUOTE#",chr(34))    ConvertSafeString=exprend function

You could also create a version that will save the expression out to HTML safe forms (double quotes become ” while single quotes become ‘ ).

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

Recent Articles: