problem with my program

[LostProgrammer]

Hello everyone, thanks for the help on my last problem.

My problem is this. When I pass my variables to the sql server, one of the strings has a chunk of text and if the user puts a in the string it makes my program crash. So lets say the user enters for my string variable reason = "Didnt make it on time" the in didnt would crash my program. Here is my code.

commsql.CommandText = "INSERT INTO TIMELOG ([USERNAME],[LOGTIME],[REASON]) VALUES (" + username + "," + loginTime + "," + reason + ")"

Anyone have any ideas on that one?

Thanks much

LostProgrammer

 

[Robby]

Replace all single quotes with 2 single quotes.

commsql.CommandText = "INSERT INTO TIMELOG ([USERNAME],[LOGTIME],[REASON]) VALUES (" & username.Replace("","") & "," & loginTime & "," & reason & ")"

 

[Nerseus]

Another reason to use Stored Procs when possible - you dont have to worry about this (unless youre passing your parameters through a full-string, such as "exec procA param1, 123, param3".

Want to see something fun? Try this, set your variable reason to:
"my reason) DROP TABLE TIMELOG --"
If you look at the string youll be building, youll get:
INTO TIMELOG ([USERNAME],[LOGTIME],[REASON]) VALUES (dan, 1:52PM, my reason) DROP TABLE TIMELOG -- )

This is NOT something you want a malicious user to be able to do. Watch your single quotes - could be more than just a syntax error

-nerseuse

 

[LostProgrammer]

Wooo that code worked!

Thanks very much, that takes care of that problem!

Thanks

LP