Hi,
I need help with this prob.
every time I update a memo filed that contains an enter key I get an error. Normal text without the enter key fork fine.
Microsoft OLE DB Provider for Visual FoxPro error ''80040e14''
Command contains unrecognized phrase/keyword.
-----------------------------
This message is posted by http://asp.forumszone.com
Gazing into my crystal ball I observed "Theo"
writing in news:355801920377554@asp.forumszone.com:
> Hi,
> I need help with this prob.
>
> every time I update a memo filed that contains an enter key I get an
> error. Normal text without the enter key fork fine.
>
> Microsoft OLE DB Provider for Visual FoxPro error ''80040e14''
>
> Command contains unrecognized phrase/keyword.
>
field = replace(value,chr(034),"")
--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share
Hi,
thanks for that quick reply.
This is the code im using
CSQL = "UPDATE buyers SET notes = '"&session("notes")&"', email =
'"&session("email")&"' where bcode= "&Session("bcode")&""
You sent back a code of
field = replace(value,chr(034),"")
Sorry, I don't understand what to do..
====
The problem i have is that every time a enter key has been used in the
memo field, I get an error. Plain simple text works fine..
Just in case you dont know what my problme is.
*** Sent via Developersdex http://www.developersdex.com ***
"theo Yales"
news:%23DAaPcXbFHA.584@TK2MSFTNGP15.phx.gbl...
>
>
> Hi,
> thanks for that quick reply.
>
> This is the code im using
>
> CSQL = "UPDATE buyers SET notes = '"&session("notes")&"', email =
> '"&session("email")&"' where bcode= "&Session("bcode")&""
For one thing your code opens you up to a SQL injection attack. What if
some cracker scum enters this in the input:
'; delete buyers; --
Syntactically correct because it terminates the string litteral with a
closing single-quote, and comments-out the remainder of yout statement. If
you connection was opened to read and write (which is the default) you'd
better have a recent backup on hand.
For this reason you should parameterize, which will prevent a SQL injection
and fix your problem at the same time. This subject is widely discussed on
an ongoing basis, a search of this news group for the word "parameter" turns
up a wealth of relevant examples.
Also note that if the notes value exceeds a certain provider-dependent size
(e.g., for SQL Server that size is 8060 bytes total for all fields in the
update statement) your code will break, one solution is to use a recordset
and a call to AppendChunk. The other also involves a recordset, but uses
ADODB.Stream to transport the data instead.
-Mark
> You sent back a code of
>
> field = replace(value,chr(034),"")
>
> Sorry, I don't understand what to do..
>
> ====
>
> The problem i have is that every time a enter key has been used in the
> memo field, I get an error. Plain simple text works fine..
>
> Just in case you dont know what my problme is.
>
> *** Sent via Developersdex http://www.developersdex.com ***
Gazing into my crystal ball I observed theo Yales
writing in news:#DAaPcXbFHA.584@TK2MSFTNGP15.phx.gbl:
>
>
> Hi,
> thanks for that quick reply.
>
> This is the code im using
>
> CSQL = "UPDATE buyers SET notes = '"&session("notes")&"', email =
> '"&session("email")&"' where bcode= "&Session("bcode")&""
>
>
> You sent back a code of
>
> field = replace(value,chr(034),"")
>
> Sorry, I don't understand what to do..
Put that in before your code to update the buyers table.
<% session("notes") = replace(session("notes"),chr(034),"")
CSQL = ...
%>
That removes the carriage return _before_ it gets posted the table.
>
>====
>
> The problem i have is that every time a enter key has been used in the
> memo field, I get an error. Plain simple text works fine..
>
> Just in case you dont know what my problme is.
>
> *** Sent via Developersdex http://www.developersdex.com ***
--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share
"Adrienne"
news:Xns9671623825FFDarbpenyahoocom@207.115.63.158...
> Gazing into my crystal ball I observed theo Yales
> writing in news:#DAaPcXbFHA.584@TK2MSFTNGP15.phx.gbl:
>
>>
>>
>> Hi,
>> thanks for that quick reply.
>>
>> This is the code im using
>>
>> CSQL = "UPDATE buyers SET notes = '"&session("notes")&"', email =
>> '"&session("email")&"' where bcode= "&Session("bcode")&""
>>
>>
>> You sent back a code of
>>
>> field = replace(value,chr(034),"")
>>
>> Sorry, I don't understand what to do..
>
> Put that in before your code to update the buyers table.
>
> <% session("notes") = replace(session("notes"),chr(034),"")
>
> CSQL = ...
>
> %>
>
> That removes the carriage return _before_ it gets posted the table.
How does it do that? Chr(34) is a double-quote. Also note that though the
leading zero is meaningless in VB, it causes the value to be evaluated as
octal (rather than decimal) in JScript and C++. Use of such notation in VB
will affect code portability at minimum.
Chr(34) shouldn't even be an issue, Chr(39) (single-quote) would be, but
it's just the tip of the SQL injection iceberg. Parameterization is a
complete solution.
And last, but surely not least, your approach alters user input, with no
mechanism to restore it to its original value. In the olden days, when user
data and its integrity were sacred, this was widely considered to be a very
negative practice.
Nowadays, with user data of every shape and size in abundance (to say the
least) calling user data "sacred" is sort of like calling cliff swallows
"endangered" -- there are millions of the little buggers everywhere you
look, hard to get worked-up about conservation.
Even so, those old ideals have merit, abandoning them should only be
considered as a last resort.
-Mark
>>====
>>
>> The problem i have is that every time a enter key has been used in the
>> memo field, I get an error. Plain simple text works fine..
>>
>> Just in case you dont know what my problme is.
>>
>> *** Sent via Developersdex http://www.developersdex.com ***
>
>
>
> --
> Adrienne Boswell
> http://www.cavalcade-of-coding.info
> Please respond to the group so others can share
Gazing into my crystal ball I observed "Mark J. McGinty"
>> That removes the carriage return _before_ it gets posted the table.
>
> How does it do that? Chr(34) is a double-quote.
I had just this incident the other day, having to replace the carriage
return.... now where did I put that code? I'll be back...
--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share