esposito
Centurion
Hello, I have a serious problem dealing with database interrogation through SQL statements. To interrogate my database of employees by surname, I use the following code:
Now, the problem arises when the user types one or more apostrophes (') in the TextBox for the keyword. The apostrophes interfere with the SQL string and the search simply fails.
I suppose I should check the content of the textbox before executing the query, to make sure there are no invalid characters, but I don't know how to look for a specific character in a string and replace it.
Besides, I think that it would be absurd to prevent the user from typing apostrophes because that character is so common that it would become a serious limitation.
I suppose I am not the first person who has encountered such a problem, so if you know the solution, please help me.
Thanks in advance.
Visual Basic:
Dim mykeyword As String = txtKeyWord.Text
Dim MySQL as string = "Select * from employees WHERE surname = '" & mykeyword & "' Order by id_employee"
Dim myConn As OleDbConnection = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;" & "Data Source=" & server.mappath("employees.mdb") & ";")
Dim ds as DataSet=New DataSet()
Dim Cmd as New OleDbDataAdapter(MySQL,MyConn)
Cmd.Fill(ds,"employees")
myDataGrid.Datasource=ds.Tables("employees").DefaultView
myDataGrid.DataBind()
MyConn.Close()
Now, the problem arises when the user types one or more apostrophes (') in the TextBox for the keyword. The apostrophes interfere with the SQL string and the search simply fails.
I suppose I should check the content of the textbox before executing the query, to make sure there are no invalid characters, but I don't know how to look for a specific character in a string and replace it.
Besides, I think that it would be absurd to prevent the user from typing apostrophes because that character is so common that it would become a serious limitation.
I suppose I am not the first person who has encountered such a problem, so if you know the solution, please help me.
Thanks in advance.