Textarea Stuff To A DB

I've written several scenarios where the end user needs to enter data into a textarea (descriptions, messges etc) which becomes part of a form. End users often put apostrophe's and carrige returns in the textarea... however, when the code i write is submitted to the database, it generates an sql command from the page that sent the action.

Client Side:

<form action="somepage.asp" method="post">
<input type="text" name="emailaddress">
<textarea cols="20" rows="5" name="comments"></textarea>
</form>

On code submission...

sql="insert into tableName (email,comments) values ('" & request.form("emailaddress") & "','" & request.form("comments") & "');"
db.execute(sql)

Now, when strange people put carrige returns, it stuffs up the string and therefore produces an error, and to make matters worse if it did recognise a carrige return, it wouldn't be displayed on HTML output. Apostrophes are even worse - they signify the end of a variable in the SQL sentance Can anyone help me and figure out a new way of writing to the DB?

View Replies