New-->Using DatePart and other Date Functions
(Updated) Using Single & DoubleQuotes in ASP with SQL Statements
(Updated) Emailing Form Results
Mass Emailing with CDO
Using The Ad Rotator
ASCII Character Set 0-127
(managing single & double quotes)
in ASP SQL Statements
OR - How I learned to use Single & Double Quotes in ASP and lived to tell about it!
First of all:
If there is Limiter (non-numeric), like 'where Fieldname=Peter', where the limiter is not numeric, then you must put single quotes around it:
This is an example of an EXACT SQL Statement. We are asking to return all instances of the name 'Peter'.
Here's where it gets tricky with variables. In our form, we are requesting a name, but whoever fills out the form might want to search for someone with a different name. So, since it can be different things to different people, we assign that section of the SQL statement a variable.
Let's say you have designated a variable called FirstNameVar. Above where Peter starts is where the variable would go, but Peter is an exact search and a variable is not, so your SQL ending double quote goes directly after the single quote. This is where the EXACT SQL statement ends. At this point, you have:
Think of how a response.write statement is in ASP when we have html that needs to be in the response.write statement:
The exact HTML is separated from the ASP. Well, in SQL, the same thing is happening. You are separating the EXACT SQL statement from the Variables.
OK, what about the variable? Well, you add an ampersand and the variable name:
"Select * from Tablename where (Firstname)='" & FirstNameVar
But, we're not finished yet, because, if you remember, the EXACT name must be surrounded by single quotes and the entire SQL statement must start & end with double quotes. Therefore, we must add the single quote, but also remember that it is still part of the EXACT SQL Syntax. And - in SQL, when you separate the EXACT SQL from the variables, each section of the EXACT SQL is enclosed within its own double quotes. The SQL statement, though, within the ASP brackets is a separated text statement. The EXACT SQL is surrounded by quotes, where the variables aren't. Remember, we are inside the ASP brackets with this SQL statement and everything within double quotes is not considered ASP code. So, we end up with:
"Select * from Tablename where (Firstname)='" & FirstNameVar & "'"
If you wanted to change out the "=" for "like", then you would have an exact SQL like:
"Select * from Tablename where (Firstname)='Peter%'
where this would find all instances of Peter as well as Peterman, Peterovsky, etc.
-- which would return to you any name which had the letters Peter anywhere in it.
With Variables, that would give you something like this:
"Select * from Tablename where (Firstname)='%" & FirstNameVar & "%'"
And, of course, this is only the first part because we are dealing with Non-numeric/text type values only. There are no single quotes around numeric values in an SQL statement.
MySQL="Select * from data where age >'" & strAge & "'"
You will get an error on the Age field if, in your data structure, you have defined the Age field with a numeric datatype. You would need to change your statment to this:
MySQL="Select * from data where age >" & strAge
Notice that the single quote before and after strAge have been removed. This will not give you an error.
Then, of course, this principle is even more exemplified when using an INSERT statement. It boils down to one fact :
So, as you can see it really pays to know your data!