0

I have a textbox on a form which contains the follow:

"UPDATE Dialogs SET Dialogs.Message = 'blah blah' " &     vbCrLf & _
"WHERE (((Dialogs.Error)=1));"

Now I want to execute by doing the following: 

    Const strcLineEnd = " "" & vbCrLf & _" & vbCrLf & """"
    If IsNull(Me.SQLStatement) & Me.txtqrytype = "UPDATE" Then
    Beep
    Else
    strSQL = Me.SQLStatement
    strSQL = Replace(strSQL, """", """""")  'Double up any quotes.
    strSQL = Replace(strSQL, vbCrLf, strcLineEnd)
    strSQL = """" & strSQL & """"
    Me.txtVBA = strSQL
    Me.txtVBA.SetFocus

    Dim coded As String
    coded = Me.txtVBA


    DoCmd.RunSQL coded


End If

but I get the following error: invalid sql statement expected 'Delete', 'Insert', 'Select', Update'.

any ideas?

itguyme
  • 43
  • 2
  • 11
  • Is that *literally* what the textbox has? Including the `"` and variable references? Also, I have no idea what you're using this for, but this isn't just vulnerable to SQL Injection, it literally *is* SQL Injection. – Siyual Sep 27 '16 at 12:38
  • This is in Microsoft Access form, basically it converts SQL Statements into a string that can be run within VBA = once it converts the statement to string the textbox contains the code above including the " quotes " and variables...I wouldnt worry about SQL injections as this is a training tool with dummy data – itguyme Sep 27 '16 at 12:42
  • `debug.print coded` prior of `DoCmd.RunSQL`, and post the result in your question. its a litlle hard to follow with all that double-quotes and `Replace` – Thomas G Sep 27 '16 at 13:10
  • 1
    I think you have a total mixup of VBA and SQL code. And: [How to debug dynamic SQL in VBA](http://stackoverflow.com/questions/418960/managing-and-debugging-sql-queries-in-ms-access/1099570#1099570) – Andre Sep 27 '16 at 13:36
  • 2
    Also no need to double up quotes just use single quotes inside SQL statements for string literals, unless double quotes are contained inside strings. – Parfait Sep 27 '16 at 13:39

0 Answers0