Thread: Insert Error
View Single Post
  #2 (permalink)  
Old April 6th, 2008, 12:43 PM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 33,084, Level: 79
Points: 33,084, Level: 79 Points: 33,084, Level: 79 Points: 33,084, Level: 79
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 10,149
Thanks: 7
Thanked 184 Times in 182 Posts
Default
Your client is probably inserting something that contains an ' like O'Brien.

Since a ' has special meaning in SQL, this breaks things. The fix is easy: just replace a single ' for two before you send the data to the database. E.g.:

promocode = Replace(promocode, ".", "''")

Note that this is only a short term fix. Google for "SQL Injection" to learn why this is not only a client's nuisance, but also a thread to your application and server. Instead, you should look at solid escaping techniques / validation routines and parameterized queries. You need to use the Parameters collection of the Command object to add new parameters and provide their values.

Imar


---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote