Use of apostophe in user comments gets error in update query 1

[squirleegirl]

Hi!

I've got a section that the user needs to leave comments in. Everything works fine as long as the user doesn't use an apostrophe in their comments. This causes a syntax error in the update statement.

My code is simple - request the information from the form into a variable and use that variable in my update query (or insert).

Like I said, works fine if there are no apostrophes. Does anyone know how to work around this?

Thanks in advance,
Squirleegirl

 

[mwolf00]

replace(myVar,"'","''")

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

 

[mwolf00]

Infact, you should do a quick keyword search or google search on sql injection - a very real way your database can be hacked.


sql = "INSERT myTable VALUES ('" & replace(request("myVar"),"'","''" & "')"

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

 

[squirleegirl]

That worked. Thanks!