SQL String Quotes

Discussion in 'ASP General' started by Scott, Nov 15, 2008.

  1. Scott

    Scott Guest

    I've got a db that has a table called USERS that contains ip addresses for
    each record. Below, I'm trying to select any user with an ip address equal
    to the variable "usserIP". What are the proper quotes to use when using SQL
    to compare a string variable to a text column?

    The database is an Access 2000 database and I'm using ASP Classic.

    CODE: ***********************

    sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"
     
    Scott, Nov 15, 2008
    #1
    1. Advertising

  2. Scott

    Bob Barrows Guest

    Scott wrote:
    > I've got a db that has a table called USERS that contains ip
    > addresses for each record. Below, I'm trying to select any user with
    > an ip address equal to the variable "usserIP". What are the proper
    > quotes to use when using SQL to compare a string variable to a text
    > column?
    > The database is an Access 2000 database and I'm using ASP Classic.
    >
    > CODE: ***********************
    >
    > sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"


    With Jet, either full quotes or single quotes (apostrophes) may be used. Of
    course, you could use parameters and never have to worry about delimiters
    again, as well as eliminating the possibility that a hacker could compromise
    your site using sql injection. See:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e



    --
    Microsoft MVP - ASP/ASP.NET - 2004-2007
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Nov 15, 2008
    #2
    1. Advertising

  3. "Bob Barrows" <> wrote in message
    news:...
    > Scott wrote:
    >> I've got a db that has a table called USERS that contains ip
    >> addresses for each record. Below, I'm trying to select any user with
    >> an ip address equal to the variable "usserIP". What are the proper
    >> quotes to use when using SQL to compare a string variable to a text
    >> column?
    >> The database is an Access 2000 database and I'm using ASP Classic.
    >>
    >> CODE: ***********************
    >>
    >> sSQL = "SELECT * FROM Users WHERE IP= " & "'" & userIP & "'"

    >
    > With Jet, either full quotes or single quotes (apostrophes) may be used.
    > Of course, you could use parameters and never have to worry about
    > delimiters again, as well as eliminating the possibility that a hacker
    > could compromise your site using sql injection. See:
    > http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
    >
    >
    >


    Whilst I agree completely that a command would be much better that
    concatentation in this case if the REMOTE_ADDR from which the OP will be
    drawing the IP address from has been hacked to contain something malicious
    then the site is already in big trouble. ;)

    --
    Anthony Jones - MVP ASP/ASP.NET
     
    Anthony Jones, Nov 15, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris White

    Quotes/Double Quotes in Image Control

    Chris White, Sep 22, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    4,853
    Hermit Dave
    Sep 22, 2004
  2. Chris
    Replies:
    1
    Views:
    13,647
    Oisin
    Mar 24, 2006
  3. Lawrence Tierney

    Multiline quotes - escaping quotes - et al

    Lawrence Tierney, Dec 24, 2003, in forum: Java
    Replies:
    3
    Views:
    4,499
    Andrew Thompson
    Dec 24, 2003
  4. jOhn
    Replies:
    1
    Views:
    227
    Phlip
    Jan 29, 2008
  5. Richard Sandoval
    Replies:
    5
    Views:
    205
    7stud --
    Apr 26, 2011
Loading...

Share This Page