Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > SQL String Quotes

Reply
Thread Tools

SQL String Quotes

 
 
Scott
Guest
Posts: n/a
 
      11-15-2008
I've got a db that has a table called USERS that contains ip addresses for
each record. Below, I'm trying to select any user with an ip address equal
to the variable "usserIP". What are the proper quotes to use when using SQL
to compare a string variable to a text column?

The database is an Access 2000 database and I'm using ASP Classic.

CODE: ***********************

sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"


 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      11-15-2008
Scott wrote:
> I've got a db that has a table called USERS that contains ip
> addresses for each record. Below, I'm trying to select any user with
> an ip address equal to the variable "usserIP". What are the proper
> quotes to use when using SQL to compare a string variable to a text
> column?
> The database is an Access 2000 database and I'm using ASP Classic.
>
> CODE: ***********************
>
> sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"


With Jet, either full quotes or single quotes (apostrophes) may be used. Of
course, you could use parameters and never have to worry about delimiters
again, as well as eliminating the possibility that a hacker could compromise
your site using sql injection. See:
http://groups-beta.google.com/group/...e36562fee7804e



--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
 
Anthony Jones
Guest
Posts: n/a
 
      11-15-2008

"Bob Barrows" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Scott wrote:
>> I've got a db that has a table called USERS that contains ip
>> addresses for each record. Below, I'm trying to select any user with
>> an ip address equal to the variable "usserIP". What are the proper
>> quotes to use when using SQL to compare a string variable to a text
>> column?
>> The database is an Access 2000 database and I'm using ASP Classic.
>>
>> CODE: ***********************
>>
>> sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"

>
> With Jet, either full quotes or single quotes (apostrophes) may be used.
> Of course, you could use parameters and never have to worry about
> delimiters again, as well as eliminating the possibility that a hacker
> could compromise your site using sql injection. See:
> http://groups-beta.google.com/group/...e36562fee7804e
>
>
>


Whilst I agree completely that a command would be much better that
concatentation in this case if the REMOTE_ADDR from which the OP will be
drawing the IP address from has been hacked to contain something malicious
then the site is already in big trouble.

--
Anthony Jones - MVP ASP/ASP.NET

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
regex to avoid escaped quotes or double quotes jOhn Ruby 1 01-29-2008 08:31 PM
PHP double quotes inside double quotes MSB Computer Support 11 10-21-2006 01:09 PM
Asp.NET Javascript string, want to pass '(single quotes' within '(single quotes) Chris ASP .Net 1 03-24-2006 09:03 PM
Quotes/Double Quotes in Image Control Chris White ASP .Net 1 09-22-2004 06:22 AM
Multiline quotes - escaping quotes - et al Lawrence Tierney Java 3 12-24-2003 05:12 PM



Advertisments