Member Avatar for varun.coolmax

I am using a ADODB connection to connect to an access database and am using an SQL string as the comandtext....but i need to check the validity of wat i have typed.....here is the sql statement..

dim cmdcommand as new adodb.command


With cmdCommand
.ActiveConnection = conConnection
.comanttext = "select * from Login where username = txusername.text"

.CommandType = adCmdText

End With

here i want to encorporate the use of check for a text feild...am i using the right Sql syntax here....as in can i jus refer to txtusername.text or do i have to use it like $txtusername.text or soemthing.....Plzz Help

  • 3 Contributors
  • 3 Replies
  • 85 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by varun.coolmax
Member Avatar for davidcairns

For starters lets look at the SQL statement line .comanttext = "select * from Login where username = txusername.text" This is not using the textbox value, the correct syntax for using the control is .comanttext = "select * from Login where username = " & txusername.text This still has a problem as SQL requires quote delimiters for string fields, hence we would add that to the string thus .comanttext = "select * from Login where username = '" & txusername.text & "'" And finally to safely pass this without allowing for a SQL injection attack we would ensure the textbox has no apostrophy that could damage the database .comanttext = "select * from Login where username = '" & replace(txusername.text, "'", "''") & "'" That should just about do it

D

Member Avatar for varun.coolmax

Thanx alot DAVID...That helped alot....U da man

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.