0

Using VBA, I'm trying to select data from a SQL table, but am running into an issue because the Customer name I'm looking up contains an apostrophe (McDonald's). Instead of using a replace function, I'm trying to setup customerName as a parameter to avoid this issue.

    Dim rs As ADODB.Recordset
    Set rs = New ADODB.Recordset
    Dim cmd As New ADODB.Command
        customerName = .Range("customerName")

        queryCustomers = "select * from Customers where CustomerName = '" & customerName & "'"

        'Open a connection to SQL Server
        conn.Open cnstring

        With cmd
         .CommandText = queryCustomers
         .Parameters.Append .CreateParameter("@param1", adVarChar, adParamInput, 50, customerName)
         .ActiveConnection = conn
         .CommandType = adCmdText
        End With

        Set rs = cmd.Execute

I'm getting the same error because of the apostrophe which means the parameter setup I'm using is incorrect. In summary, I need help to make my queryCustomers string pass customerName as a parameter so the apostrophe in customerName does not affect the SQL command.

Improve this question
5
  • 5
    You need to pass these values as parameters, not because it causes you problems, but because of the problems it will avoid. Your code is wide open to sql injection. You can read more about how bad this anti-pattern is here. That site also has examples of how to properly parameterize values. Commented Jul 15, 2019 at 19:19
  • 1
    Check out Little Bobby Tables - absolute classic!! And then learn from it and NEVER EVER do that again! Commented Jul 15, 2019 at 19:21
  • When you use a parameter the code will automatically escape any characters, if it needs to. The problem is because you aren't using parameters. Commented Jul 15, 2019 at 19:21
  • try this evona.nl/simple-parameterized-queries-using-ado-in-vba Commented Jul 15, 2019 at 19:28
  • @Larnu so do you know how to fix that? I'm not familiar with using parameters here. Thanks Commented Jul 15, 2019 at 19:29

1 Answer 1

Reset to default
1

Your 

queryCustomers = "select * from Customers where CustomerName = '" & customerName & "'"

gets evaluated to 

"select * from Customers where CustomerName = 'McDonald's'"

There is no variable where the value can be placed. This is what is executed

Try something like this

cmd.CommandText = "select * from Customers where CustomerName = @Value1"
Dim param1 As ADODB.Parameter
Set param1 = cmd.CreateParameter("@Value1", adVarWChar, adParamInput, 8, "McDonald's")
cmd.Parameters.Append param1

This approach should escape your McDonald's -> McDonald''s automatically.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you for your reply. cmd.CommandText = "select * from Customers where CustomerName = @Value1" Dim param1 As ADODB.Parameter Set param1 = cmd.CreateParameter("@Value1", adVarWChar, adParamInput, 50, customerName) cmd.Parameters.Append param1 Set rs = cmd.Execute returns an error on the execute line: "the connection cannot be used to perform this operation. it is either closed or invalid in this context."
Ah I had to set cmd activeconnection to fix that. But I still get an error: "Must declare the scalar variable "@Value1"
@Codelinsky use ordinal parameters instead of named ones. cmd.CommandText = "select * from Customers where CustomerName = ?"
Worked. Thank you :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.