Removing " in user input

TheMSsForum.com: The Microsoft Software Forum

Hi,

I am writing a internal website for my company and need some help. I
need to remove (or escape it) the " and ' from the user input so it can
be put in a SQL database. Currently what i have been doing is this

input = Replace(Request.form("input"), "'", "")

and that gets rid of the ' just fine, but how do I work with "? Can I
escape it with a \ or anything so it can go in my SQL database?

Thanks very much for your help!
Top

Re: Removing " in user input by mr_unreliable

mr_unreliable
Tue Nov 07 11:19:30 CST 2006

hi kj44,

Did you try this?

input = Replace(Request.form("input"), """", "")

(If you want to place a double-quote in a vbs quoted
string, you use TWO double-quotes)...

cheers, jw
____________________________________________________________

You got questions? WE GOT ANSWERS!!! ..(but,
no guarantee the answers will be applicable to the questions)

Top

Re: Removing " in user input by K

K
Tue Nov 07 11:29:25 CST 2006

No I didn't..... :) I just kind of figured it wouldn't work.
THought the second quote would close the first.

I will do that... thanks!
mr_unreliable wrote:
> hi kj44,
>
> Did you try this?
>
> input = Replace(Request.form("input"), """", "")
>
> (If you want to place a double-quote in a vbs quoted
> string, you use TWO double-quotes)...
>
> cheers, jw
> ____________________________________________________________
>
> You got questions? WE GOT ANSWERS!!! ..(but,
> no guarantee the answers will be applicable to the questions)

Top

Re: Removing " in user input by Richard

Richard
Tue Nov 07 11:53:48 CST 2006

Hi,

When I use T-SQL statements to add info to SQL database tables, I replace '
with ''. For example:

strName = "Jim O'Hara"

strName = Replace(strName, "'", "''")

SQL resolves the doubled apostrophe as one single apostrophe. This way the
T-SQL statement does not raise an error, and the character is retained in
the table. However, if the user inputs a double quote character ("), I have
not found that to be a problem. T-SQL statements can have embedded double
quotes. For example:

strName = InputBox("User Name")
strName = Replace(strName, "'", "''")
strSQL = "UPDATE MyTable " _
& "SET Name = '" & strName & "' " _
& "WHERE ID = 4"
Wscript.Echo strSQL

The above gives the proper results even if the user input has ' or "
characters.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"K.J. 44" <Holleran.Kevin@gmail.com> wrote in message
news:1162920565.823728.79340@m73g2000cwd.googlegroups.com...
> No I didn't..... :) I just kind of figured it wouldn't work.
> THought the second quote would close the first.
>
> I will do that... thanks!
> mr_unreliable wrote:
>> hi kj44,
>>
>> Did you try this?
>>
>> input = Replace(Request.form("input"), """", "")
>>
>> (If you want to place a double-quote in a vbs quoted
>> string, you use TWO double-quotes)...
>>
>> cheers, jw
>> ____________________________________________________________
>>
>> You got questions? WE GOT ANSWERS!!! ..(but,
>> no guarantee the answers will be applicable to the questions)
>


Top

Re: Removing " in user input by Bob

Bob
Tue Nov 07 11:59:53 CST 2006

Richard Mueller wrote:
> Hi,
>
> When I use T-SQL statements to add info to SQL database tables, I
> replace ' with ''. For example:
>
That's only necessary when using dynamic sql. All of this delimiter
nonsense can be avoided by using parameters instead of concatenation, as
well as preventing sql injection.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Top