I'm taking over some ASP code that has been ESCAPEing all kinds of data before inserting it into a SQL database. Isn't it smarter to simply use replace(myVar, "'", "''") to get rid of single quotes? That way I wouldn't need to UNESCAPE everything I pull out of the DB. Aren't single quotes the only real concern when inserting into the DB?

Thanks in advance for your insight.

Yes, or you could perform a replace and use ' for single quotes -- this is what I do.

So you would run

replace( myVar, "'", "&#39" ) 'Need to add semicolon after 39

This has the effect of storing the ' to the database instead of the single quote -- but if you only plan to display the information in a browser and if you are not depending on a particular value for String length or otherwise parsing it, it is very convenient.

But it is true that replace() is the more sensible solution and your approach should work fine.

EDIT -- After seeing Webcyte's post, I realized I should have left off my semicolon to make it visible..... Tks, webcyte.

replace("""", """)
replace("'", "'")

This way uses the entity number which I find to be a better choice. I find it less confusing.

replace("""", "&#34")
replace("'", "&#39")

remember to put the ; after &#34 and &#39 or you get what you see above