VBA中的SQL语句错误
问题描述:
我有一个包含insert语句的Access表单。VBA中的SQL语句错误
代码工作很好,但问题,当我输入包含一个单引号'文本:
strSQL = "INSERT INTO student (stname) VALUES ('" & stname.Value & "')"
DoCmd.RunSQL strSQL
时stname.value = Ra'ed or ka'l
则声明变成错
答
一般我会与有关SQL注入警告marc_s同意。然而,对于在非关键任务数据库一个快速和肮脏的解决方案,你不介意其他用户可能侵入或以其它方式搞乱,你会用
strSQL = "INSERT INTO student (stname) VALUES ('" & Replace (stname.Value, "'", "''") & "')"
答
考虑一个DAO parameterized query其允许绑定值而无需引用附件。 Access查询允许PARAMETERS条款,可以与外部值绑定:
Dim db As Database
Dim qdef As QueryDef
Dim strSQL As String
Set db = CurrentDb
' PREPARE STATEMENT (STRING CAN BE A SAVED QUERY)
strSQL = "PARAMETERS [strValParam] Text(255);" _
& " INSERT INTO student (stname) VALUES ([strValParam]);"
' INITIALIZE QUERYDEF OBJECT (REPLACE EMPTY STRING "" FOR SAVED QUERY NAME AND NO STRSQL)
Set qdef = db.CreateQueryDef("", strSQL)
' BIND VALUE (SINGLE/DOUBLE/SPECIAL CHARS ALL ALLOWED)
qdef!strValParam = stname.Value
' EXECUTE ACTION QUERY
qdef.Execute
Set qdef = Nothing
Set db = Nothing
[SQL注入警报(HTTP:// MSDN .microsoft.com/en-us/library/ms161953%28v = sql.105%29.aspx) - 您应该**不**将您的SQL语句连接在一起 - 使用**参数化查询**代替以避免SQL注入 –
尝试用''替换'' – artm
[Excel,VBA:参数化查询]的可能重复(http://stackoverflow.com/questions/23117357/excel-vba-parametrized-query) –