philjones88 · January 24, 2012 11:16
diff --git a/gistfile1.vb b/gistfile1.vb
    '** Doubles up single quotes to stop breakouts from SQL strings **
    Public Shared Function SQLSafe(ByVal strRawText As String) As String

        Dim strCleanedText As String = ""
        Dim iCharPos As Integer = 1

        Do While iCharPos <= Len(strRawText)
            '** Double up single quotes, but only if they aren't already doubled **
            If Mid(strRawText, iCharPos, 1) = "'" Then
                strCleanedText = strCleanedText & "''"
                If iCharPos <> Len(strRawText) Then
                    If Mid(strRawText, iCharPos + 1, 1) = "'" Then iCharPos = iCharPos + 1
                End If
            Else
                strCleanedText = strCleanedText & Mid(strRawText, iCharPos, 1)
            End If

            iCharPos = iCharPos + 1
        Loop

        Return Trim(strCleanedText)

    End Function

 '** Update our database with the results from the Notification POST **
                strSQL = "UPDATE tblOrders set Status='" & strDBStatus & "'"
                If Len(strTxAuthNo) > 0 Then strSQL = strSQL & ",TxAuthNo=" & SQLSafe(strTxAuthNo)
                If Len(strAVSCV2) > 0 Then strSQL = strSQL & ",AVSCV2='" & SQLSafe(strAVSCV2) & "'"
                If Len(strAddressResult) > 0 Then strSQL = strSQL & ",AddressResult='" & SQLSafe(strAddressResult) & "'"
                If Len(strPostCodeResult) > 0 Then strSQL = strSQL & ",PostCodeResult='" & SQLSafe(strPostCodeResult) & "'"
                If Len(strCV2Result) > 0 Then strSQL = strSQL & ",CV2Result='" & SQLSafe(strCV2Result) & "'"
                If Len(strGiftAid) > 0 Then strSQL = strSQL & ",GiftAid=" & SQLSafe(strGiftAid)
                If Len(str3DSecureStatus) > 0 Then strSQL = strSQL & ",ThreeDSecureStatus='" & SQLSafe(str3DSecureStatus) & "'"
                If Len(strCAVV) > 0 Then strSQL = strSQL & ",CAVV='" & SQLSafe(strCAVV) & "'"
                If Len(strAddressStatus) > 0 Then strSQL = strSQL & ",AddressStatus='" & SQLSafe(strAddressStatus) & "'"
                If Len(strPayerStatus) > 0 Then strSQL = strSQL & ",PayerStatus='" & SQLSafe(strPayerStatus) & "'"
                If Len(strCardType) > 0 Then strSQL = strSQL & ",CardType='" & SQLSafe(strCardType) & "'"
                If Len(strLast4Digits) > 0 Then strSQL = strSQL & ",Last4Digits='" & SQLSafe(strLast4Digits) & "'"
                strSQL = strSQL & " where VendorTxCode='" & SQLSafe(strVendorTxCode) & "'"

                objConn = oMySQLConnection()
                oSQLCommand = New MySqlCommand(strSQL, objConn)
                oSQLCommand.ExecuteReader()
                oSQLCommand = Nothing
                DestroyConnection(objConn)
	' Doubles up single quotes to stop breakouts from SQL strings
	Public Shared Function SQLSafe(ByVal strRawText As String) As String

	Dim strCleanedText As String = ""
	Dim iCharPos As Integer = 1

	Do While iCharPos <= Len(strRawText)
	' Double up single quotes, but only if they aren't already doubled
	If Mid(strRawText, iCharPos, 1) = "'" Then
	strCleanedText = strCleanedText & "''"
	If iCharPos <> Len(strRawText) Then
	If Mid(strRawText, iCharPos + 1, 1) = "'" Then iCharPos = iCharPos + 1
	End If
	Else
	strCleanedText = strCleanedText & Mid(strRawText, iCharPos, 1)
	End If

	iCharPos = iCharPos + 1
	Loop

	Return Trim(strCleanedText)

	End Function

	' Update our database with the results from the Notification POST
	strSQL = "UPDATE tblOrders set Status='" & strDBStatus & "'"
	If Len(strTxAuthNo) > 0 Then strSQL = strSQL & ",TxAuthNo=" & SQLSafe(strTxAuthNo)
	If Len(strAVSCV2) > 0 Then strSQL = strSQL & ",AVSCV2='" & SQLSafe(strAVSCV2) & "'"
	If Len(strAddressResult) > 0 Then strSQL = strSQL & ",AddressResult='" & SQLSafe(strAddressResult) & "'"
	If Len(strPostCodeResult) > 0 Then strSQL = strSQL & ",PostCodeResult='" & SQLSafe(strPostCodeResult) & "'"
	If Len(strCV2Result) > 0 Then strSQL = strSQL & ",CV2Result='" & SQLSafe(strCV2Result) & "'"
	If Len(strGiftAid) > 0 Then strSQL = strSQL & ",GiftAid=" & SQLSafe(strGiftAid)
	If Len(str3DSecureStatus) > 0 Then strSQL = strSQL & ",ThreeDSecureStatus='" & SQLSafe(str3DSecureStatus) & "'"
	If Len(strCAVV) > 0 Then strSQL = strSQL & ",CAVV='" & SQLSafe(strCAVV) & "'"
	If Len(strAddressStatus) > 0 Then strSQL = strSQL & ",AddressStatus='" & SQLSafe(strAddressStatus) & "'"
	If Len(strPayerStatus) > 0 Then strSQL = strSQL & ",PayerStatus='" & SQLSafe(strPayerStatus) & "'"
	If Len(strCardType) > 0 Then strSQL = strSQL & ",CardType='" & SQLSafe(strCardType) & "'"
	If Len(strLast4Digits) > 0 Then strSQL = strSQL & ",Last4Digits='" & SQLSafe(strLast4Digits) & "'"
	strSQL = strSQL & " where VendorTxCode='" & SQLSafe(strVendorTxCode) & "'"

	objConn = oMySQLConnection()
	oSQLCommand = New MySqlCommand(strSQL, objConn)
	oSQLCommand.ExecuteReader()
	oSQLCommand = Nothing
	DestroyConnection(objConn)