i have one database problem, if my sql is like this:
Dim Username
Username = request.form(trim("username"))
Username = Replace(username,"'","''")
Dim email
email = request.form(trim("email"))
email = Replace(email,"'","''")
Dim question
question = request.form(trim("question"))
question = Replace(question,"'","''")
Dim answer
answer = request.form(trim("answer"))
answer = Replace(answer,"'","''")
Dim date_answered
dag = Day(Now())
maand = Month(Now())
jaar = Year(Now())
uur = Hour(Time)
minuten = Minute(Time)
seconden = Second(Time)
datum= jaar & "-" & maand & "-" & dag
tijd = uur & ":" & minuten& ":" & seconden
date_answered = (datum & " " & tijd)
Dim isActive
isActive = "yes"
sql="UPDATE faqtbl SET "
sql=sql & "Name='" & username & "',"
sql=sql & "email='" & email & "',"
sql=sql & "question='" & question & "',"
sql=sql & "answer='" & answer & "',"
sql=sql & "date_answered='" & date_answered & "',"
sql=sql & "isActive='" & isActive & "'"
sql=sql & " WHERE ID='" & lngRecordNo &"';"
on error resume next
there is no problem at all until if the data that i want to add into the database is using double quotes.
please help how do i manipulate the query by using double quotes?
thank you.. 🙂
There is a problem in your code even if the data does not use quotes: your dynamically generated SQL statements are wide-open to SQL interjection attacks. You need to re-write your query to use query parameters. This will address the problem with the quotes, and make your SQL a lot more robust.
Here is a short example of how to modify your
updateto use parameters: