I am running a program on classic ASP and inserting into a database with the following:
CreateJob.CommandText = "INSERT INTO dbo.Jobs (JobID, CompanyName, DateReceived, DateOfDocument, ClientReference, Subject, TypeOfService,DueDate,AssignedAgent, ClientName, Plaintiff, Defendant1, Defendant2, Defendant3, CourtJurisdiction, Court, Subtype, CourtNumber, Amount, ServiceMethod, JobNotes, JobStatus, CreatedBy, CreatedDate) VALUES (" & Request.Form("jobid") & ", '""" & Request.Form("compname") & """', '" & Request.Form("datereceived") & "','" & Request.Form("dateofdoc") & "', '" & Request.Form("clientref") & "', '" & Request.Form("subjects") & "', '" & Request.Form("TypeOfService") & "', '" & Request.Form("duedate") & "', '" & Request.Form("AssignedAgent") & "', '" & Request.Form("ClientName") & "', '" & Request.Form("Plaintiff") & "', '" & Request.Form("Defendant1") & "', '" & Request.Form("Defendant2") & "', '" & Request.Form("Defendant3") & "', '" & Request.Form("CourtJurisdiction") & "', '""" & Request.Form("Court") & """', '" & Request.Form("SubType") & "', '" & Request.Form("CourtNumber") & "', '" & Request.Form("Amount") & "','" & Request.Form("ServiceMethod") & "','" & Request.Form("JobNotes") & "', 'OPEN', '" & Session("LoggedName") & "', CURRENT_TIMESTAMP ) "
However, if one of the value has an apostrophe, the program crashes and I am not sure how to escape it.
Thanks
Replace isn't the way to go here, you are already using a ADODB.Command object so why not use a parameterised query.
Try this;
As you haven't provided information on your field types I can only speculate so instead I've added [datatype] and [size] placeholders for you to replace with ADO data type constants. A good resource for how data types in T-SQL map to ado is this article - Data Type Mapping
sql = ""
sql = sql & "INSERT INTO dbo.Jobs (" & vbCrLf
sql = sql & "JobID, CompanyName, DateReceived, DateOfDocument, ClientReference" & vbCrLf
sql = sql & ", Subject, TypeOfService,DueDate,AssignedAgent, ClientName, Plaintiff" & vbCrLf
sql = sql & ", Defendant1, Defendant2, Defendant3, CourtJurisdiction, Court" & vbCrLf
sql = sql & ", Subtype, CourtNumber, Amount, ServiceMethod, JobNotes, JobStatus" & vbCrLf
sql = sql & ", CreatedBy, CreatedDate" & vbCrLf
sql = sql & ") VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);"
With CreateJob
.ActiveConnection = "yourconnectionstring"
.CommandType = adCmdText
.CommandText = sql
'Add your parameters (all 24 of them in order)
'Assumed JobID is int which equates to adInteger ADO data type constant.
.Parameters.Append(.CreateParameter("@JobID", adInteger, adParamInput, 4))
.Parameters.Append(.CreateParameter("@CompanyName", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@DateReceived", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@DateOfDocument", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@ClientReference", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Subject", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@TypeOfService", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@DueDate", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@AssignedAgent", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@ClientName", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Plaintiff", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Defendant1", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Defendant2", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Defendant3", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@CourtJurisdiction", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Court", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Subtype", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@CourtNumber", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@Amount", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@ServiceMethod", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@JobNotes", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@JobStatus", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@CreatedBy", [datatype], adParamInput, [size]))
.Parameters.Append(.CreateParameter("@CreatedDate", [datatype], adParamInput, [size]))
'Specify your parameter values may need some conversion based on what you are passing.
.Parameters("@JobId").Value = Request.QueryString("jobid")
'Add the other 23 parameters as the above line.
'...
'Doing an INSERT no need to return recordset
Call .Execute(adExecuteNoRecords)
End With
Set CreateJob = Nothing
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 疯言疯语 的文章《SQL insert into database with apostrophe》','https://www.manongdao.com/article-103779.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}