At 1:36 PM -0500 9/27/01, Paul DuBois wrote:
>At 7:32 PM +0100 9/27/01, johnlucas-Arluna wrote:
>>Apologies for the lack of info in my last message, here's some further
>>I am using Visual Basic accessing the database through a self-developed
>>ActiveX DLL to handle the updates.
>>I basically open an ADODB recordset object and populate a custom mysqlFields
>>class with the field values, when the VBScript ASP page needs to update the
>>recordset, it passes the SQL to open it, then populates the fields from the
>>rsmysql.fields("blahblah") = request.form("blahblah").
>>When I do rsmysql.update, the custom ActiveX DLL, creates the SQL update
>>statement and executes it through the connection object.
>>When creating the Update SQL statement that when I do the escape characters
>>and if necessary do the HTMLEncode.
>I don't know VB, but in other languages, this wouldn't be quite right.
>You don't HTML-encode information for inserting it into the database, you
>escape special characters in SQL. Those aren't the same as the special
>characters for SQL...
Clearly what I said there makes no sense... I meant to say that characters
that are special in SQL are not the same as the characters that are special
Paul DuBois, paul@stripped