ansaurus

Question

Escaping quotes in a string in VB6

Answer 1

+8 A:

You can use "" to insert a quote into a string e.g:

dim sometext as String = "Hello ""Frank"" how are you?"

Which gives you

Hello "Frank" how are you?

ilivewithian 2009-07-09 10:46:20

Answer 2

+5 A:

To escape a quote you just need to add another quote, I believe this is what you need:

Dim sql As String = "Select * from  Usertask Where UserId = """ & Session("UserId") & """ and JobID=" & ddlReqTask.SelectedValue

KevB 2009-07-09 10:48:01

Answer 3

+3 A:

You could also use Chr(34) in the concatentation.

Dim sql As String = "Select * from  Usertask Where UserId = " & Chr(34) & Replace(Session("UserId"), Chr(34), Chr(34) & Chr(34)) & Chr(34) & " and JobID=" & CLng(ddlReqTask.SelectedValue)

Either way works (the other examples and this one). some people prefer this one as it can be less confusing, however the above examples arent perfectly ledgible and arent exatly rocket science

Ben 2009-07-09 10:51:43

Posting code that contains SQL injection vulnerabilities is bad form. Edited.

rpetrich 2009-07-10 18:23:04

How is this any different to the answer above that also contains SQL injection vulnerabilities. How come you havent commented on that? Also, I'm not recommending using this method, it is simply an answer to a question asked. I'm failing to see how answering a question to broaden someones knowledge is bad, in a case where other people have already mentioned the SQL Injection vulneratbities already.

Ben 2009-07-13 08:24:24

Answer 4

+1 A:

This is a SQL injection vulnerability and you should NOT be doing it. By doing it this way, you allow your users to execute any query they want to by giving you a UserId like

'; DROP TABLE Usertask; --

Instead, use parameters. Depending on how you are executing the SQL, there are different ways to do it; please show us the code that executes the SQL query.

In answer to your question,

Dim StringWithQuotes As String = "Hello, I've got ""Quotes""!"

This string will be

Hello, I've got "Quotes"!

SLaks 2009-07-09 10:54:43

Answer 5

A:

Most SQL servers, in my experience, need a single quote for strings. The best way to do it is to let .net deside for you, by using SQL Parameters. Here's a sample (also in VB.Net): http://www.knowdotnet.com/articles/dynamicsqlparameters.html
This also has the benefit of security against SQL injections.

Kobi 2009-07-09 10:57:24

Answer 6

+1 A:

I'd recommend you use parameterised SQL instead of building up an adhoc SQL statement like this as you could leave yourself open to SQL injection. This means you don't need to worry about concatenating quotes into the string, as well as also improving query performance (assuming sql server) as it allows execution plan caching and reuse.

e.g.

Dim sql As String = "Select * from  Usertask Where UserId = ? AND JobID = ?"

Then add 2 ADODB.Parameters to the Command object to supply the values for the 2 parameters e.g.

Set param = New ADODB.Parameter
param.Name = "@UserId"
param.Direction = adParamInput
param.Type = adVarChar
param.Size = (give size of user id field)
param.value = Session("UserId")
yourADOCommand.Parameters.Append param

And the same again for the JobId parameter.

AdaTheDev 2009-07-09 10:57:59

ansaurus

tags:

views:

answers:

Escaping quotes in a string in VB6

related questions