INSERT info into a Access database for display

sideshow245 · January 7th, 2004, 03:50 PM

Bottom Line Question: How do I eliminate this apostrophe problem? Should I run a string search and delete the apostrophe and replace it with Response.Write "´â?

I am trying to create an asp page that will display text that a user submits on a form, and then displays it on another page for customers to read prior to placing an order. I am designing this for a client, since they have limited knowledge of web design, they do not want to get into html coding.

The program takes what they write and puts it in to an Access database, and then another asp page calls it up prior to placing an order.

Everything works, "almost" except for when the client enters text with an apostrophe.

You can find the working site at (This allows the user to enter info, which will be password protected in the future):
http://www.its-sfbay.com/preorder.html

Then it is displayed on (prior to a customer placing an order):
http://www.its-sfbay.com/display.asp

Everything works until an apostrophe is entered anywhere in the field.

Here is the code for this page:

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
  Option Explicit
  Dim strConnect
%>

<html>
<head>
<title>Place Order Update</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="text.css" rel="stylesheet" type="text/css">
</head>
<body>
<%
  Const adOpenKeySet = 1
  Const adOpenOptimistic = 2

  Dim objCmd, intNoOfRecords
  set objCmd = Server.CreateObject("ADODB.Command")

  Dim strTitle, strCDate, strCopy, strSQL
  strCDate = Request.Form("currentdate")
  strTitle = Request.Form("title")
  strCopy = Request.Form("copy")

  objCmd.ActiveConnection = strConnect
  objCmd.CommandText = "DELETE FROM PreOrder WHERE ID LIKE '1' "
  objCmd.Execute intNoOfRecords
  'Response.Write "This Update command has affected " & _
                   'intNoOfRecords & " records<br><br>"

  strSQL = "INSERT INTO PreOrder (CDate, Title,Copy) VALUES " & _
             "('" & strCDate & "','" & strTitle & "','" & strCopy &"');"
  objCmd.CommandText = strSQL
  objCmd.Execute intNoOfRecords
  Response.Write "This Record Update command has affected " & _
                   intNoOfRecords & " records<br><br>"

  set objCmd = nothing
%>
</body>
</html>

shahchi1 · January 7th, 2004, 04:02 PM

Use VbScript Replace function for all the Request.Form variables:
Replace(Request.Form("variable"),"'","''")

Or a use a function like this

Function Fix_String(varString)
    if isnull(varString) then
        Fix_String = ""
    else
        Fix_String = trim(varString)
        Fix_String = Replace(Fix_String,"'","''")
    end if
End Function

sideshow245 · January 7th, 2004, 04:25 PM

Thank you shahchi1, the VbScript function works like a charm. I don't think there are any other characters that interrupt this code. I guess I will have to keep testing it!