发表新帖
发表新帖

Escaping quotes in a string in VB6

后端 未结
关注
7 582
日久生厌
日久生厌 2020-11-29 11:01

I am trying to make some small changes to an old VB web app I need to add quotes inside of a string I\'ve had no luck so far. The string is 

Dim sql As Stri
7条回答
  • 一整个雨季
    一整个雨季 (楼主)
    2020-11-29 11:42

    I'd recommend you use parameterised SQL instead of building up an adhoc SQL statement like this as you could leave yourself open to SQL injection. This means you don't need to worry about concatenating quotes into the string, as well as also improving query performance (assuming sql server) as it allows execution plan caching and reuse.

    e.g.

    Dim sql As String = "Select * from  Usertask Where UserId = ? AND JobID = ?"

    Then add 2 ADODB.Parameters to the Command object to supply the values for the 2 parameters e.g.

    Set param = New ADODB.Parameter
param.Name = "@UserId"
param.Direction = adParamInput
param.Type = adVarChar
param.Size = (give size of user id field)
param.value = Session("UserId")
yourADOCommand.Parameters.Append param

    And the same again for the JobId parameter.

    0 讨论(0)
 看不清?
提交回复
热议问题