Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

recordset vs. SQL execution

Status
Not open for further replies.
ahmun

ahmun

IS-IT--Management
Jan 7, 2002
432
US
Hi all,

I've heard a lot of advice from the gurus of this forum that executing SQL runs much quicker than opening a recordset, setting the field values, and updating.

I was wondering if anybody follows a standard on how to access/manipulate database info.

I'd like to find a way where I don't have to do any major string replacing/formatting to capture user input.

For example: a Last Name field may contain "O'Hare"

If I write a SQL statment there would be a problem because of the ' mark in the name.
Code: 
sSQL = "UPDATE Table SET strLast = '" & Request.Form("strLast") & "' Where critera..."

Wheras if I used a recordset:
Code: 
sSQL = "SELECT * From Table Where [some criteria...]"
myRS.open
myRS("strLast") = Request.Form("strLast")
etc...
I don't have any problems with whatever content. What if the user accidentally enters double-quotes when I thought I'd be clever and ""escape my doublequote in the sSQL string?

Earnie Eng
 
Sort by date Sort by votes
Doublequotes (?) don't need to be escaped in an SQL string, only single quotes needs to be. If the user accidentally typed two single quotes and you double that up to four, it still goes into the database as two single quotes.

I generally create some sort of function to handle the replace for me just because I am lazy. I don't like typing Replace(..."'","''") every time. So what I'll do is createa function like:
Code: 
Function SqlQ(str)
   SqlQ = Replace(str,"'","''")
End Function
Then after I finish my code I will use search and replace to make the function name more understandable (ie, like SqlCleanQuotes). While I'm coding I have a rewally short function to type though :p

-T

barcode_1.gif
 
Upvote 0 Downvote
I've seen reference to that method of replacing single quotes with two single quotes, but I've always glanced over it.

Just to verify:
in a SQL statement, putting two single quotes is equavelent of escaping that character so that the sql engine doesn't misinterpret the info?

Earnie Eng
 
Upvote 0 Downvote
Yep. basically when you double them up like that the SQL Engine goes "Oh, a single quote character" instead of saying "oh, thats the beginning or end of a string/date/etc...where's the rest?"

:)

barcode_1.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
Problem: sql-Select with request.form
2
Replies
22
Views
1K
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
SQL syntax
Replies
8
Views
330
penguinspeaks
penguinspeaks
axLW
  • Locked
  • Question
reduce number of sql statements and set EOF parameter
Replies
13
Views
471
ChrisHirst
ChrisHirst
EricBCA
  • Locked
  • Question
Is it possible for ASP to connect to SQL Server via ODBC without a password
Replies
1
Views
205
ChrisHirst
ChrisHirst
madanthrax
  • Locked
  • Question
Using parameters when calling a recordset
Replies
0
Views
287
madanthrax
madanthrax

Part and Inventory Search

Sponsor

Back
Top