我从下拉菜单中获得一个客户名称,然后使用该值查询一个 Excel 电子表格,但是名称可能包含一个单引号(例如:Adam's Meat)。这会破坏我的应用程序,那么我如何使用包含单引号的变量进行查询?
Private Sub cboCompany_Change()
Dim customerName As String
customerName = cboCompany.Value
rsT.Open "SELECT Customer, Postcode, Address1, Address2, State, Country FROM Customers WHERE Customer = '" & customerName & "'", cn, adOpenStatic
如果你在指定字符串时用到两个单引号'',其中一个会被转义,导致最终只有一个单引号。你可以尝试这样替换:
customerName = Replace(customerName, "'", "''")
这样会使你容易受到SQL注入攻击。我建议将其更改为参数化查询,就像这样:
Dim cmd as NEW ADODB.Command
With cmd
.CommandText=”SELECT foo from tblBar where foo=?”
.Parameters.Append .CreateParameter("@foo", adVarChar, adParamInput, 50, “What ever you want”)
.ActiveConnection=dbCon
.CommandType=adCmdText
End With
Set rst=cmd.execute