This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I am working on a project where another developer created a table with column names like 'Business Name'. That is a space between two words. If I run a SELECT statement with 'Business Name' it says there is no column with name 'Business'.
How can I solve this problem?
Generally the first step is to not do that in the first place, but if this is already done, then you need to resort to properly quoting your column names:
SELECT `Business Name` FROM annoying_table
Usually these sorts of things are created by people who have used something like Microsoft Access and always use a GUI to do their thing.
If double quotes does not work , try including the string within square brackets.
For eg:
SELECT "Business Name","Other Name" FROM your_Table
can be changed as
SELECT [Business Name],[Other Name] FROM your_Table
You need to use backtick instead of single quotes:
Single quote - 'Business Name' - Wrong
Backtick - `Business Name` - Correct
To each his own but the right way to code this is to rename the columns inserting underscore so there are no gaps. This will ensure zero errors when coding. When printing the column names for public display you could search-and-replace to replace the underscore with a space.
I got here with an MS Access problem.
Backticks are good for MySQL, but they create weird errors, like "Invalid Query Name: Query1" in MS Access, for MS Access only, use square brackets:
It should look like this
SELECT Customer.[Customer ID], Customer.[Full Name] ...
I think double quotes works too:
SELECT "Business Name","Other Name" FROM your_Table
But I only tested on SQL Server NOT mySQL in case someone work with MS SQL Server.
Related
This question already has answers here:
How to escape ampersand in TOAD?
(3 answers)
Closed 3 years ago.
I've seen a bunch of related posts, but none yet that resolve my specific question.
In Oracle SQL I need to do something like this:
SELECT field1 "Eggs&Cheese"
FROM table1;
But it reads the &Cheese and wants to do parameter substitution. I just want the field name to be Eggs&Cheese
I saw this post Escape ampersand with SQL Server, but Oracle does not like the bracket [] syntax.
And also Escaping ampersand character in SQL string, but that is escaping the ampersand in a value string, not a label string.
The substitution is related to tool you are using and has nothing to do with column alias.
db<>fiddle demo
Depending on the tool you could disable it like "set define off".
Related: Set define off not working in Oracle SQL Developer & How to escape ampersand in TOAD?
You have to set the escape. Works in Oracle SQL Developer.
set escape \
SELECT field1 "Eggs\&Cheese" FROM table1;
After your work is done you can set it off.
set escape off
This question already has answers here:
How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?
(6 answers)
Closed 3 years ago.
Hello I am going through some SQL injection examples and I have the following scenario:
In this example, aware of the risk of SQL injection, the developer decided to block single quotes ' by removing any single quote ' in the query. However, there is still a way to break out of the SQL syntax and inject arbitrary SQL.
To do so, you need to think of the query:
SELECT * FROM users WHERE username='[username]' and password='[password]'
The problem here is that you cannot, in theory, break out of the single quotes ' since you cannot inject any quote. However, if you inject a back-slash \, the second ' in the query (the one supposed to finish the string [username] will be escaped and will be closed by the third one (the one supposed to start the string [password].
Doesn't this mean that if I input a "\" on the username field it will automatically break the query? and look something like
SELECT * FROM users WHERE username='[username] and password=' ..
Am I missing something ? Should I provide the backslash in another way?
Ok I have found the answer:
The username should be : \
and password : or 1#
Then the query will look something like this
SELECT * FROM users WHERE username = '\' AND password=' or 1#
I was trying to use sqlFetch. The fetch works perfectly when I change the name of my table to have underlines instead of periods. So if I use the command
sqlFetch(conn, "HelloWorld_40")
It works fine. Unfortunately, my friends are all using the real name of the table
sqlFetch(conn, "HelloWorld.40")
But then it crashes and it tells me that
Error in sqlColumns(conn, "HelloWorld.40") :
'HelloWorld.40': table not found on channel
I'm guessing the period "." is illegal name for a table. But I don't want my friends to change it because it's a lot of people who would be affected. Is there a way I can call the table, or do I have to secretly go to their database, change the name while I use it and then change it back to a period (risking that I will forget, someone will read, blah blah).
Thanks.
put the table name in square brackets:
[HelloWorld.40]
It is a problem with sqlFetch which parse table name. Unfortunately it did not handle table quotes, so it's search for table 40 in schema HelloWorld. You need to directly call sqlQuery (with quoted table name, brackets for MS SQL Server):
sqlQuery(dbhandle, "SELECT * FROM [HelloWorld.40]")
Side note: you should specify which database you are using.
The best delimiter is double quotes -- that should work in most underlying databases:
"HelloWorld.40"
In MySQL, you can also use back ticks (`):
`HelloWorld.40`
In SQL Server, Access, and I think Sybase, you can also use square braces:
[HelloWorld.40]
I have a table in my database of type nvarchar(50);
I want to write to that specific column that string 'Tal' - Tal between 2 apostrophes.
When I'm trying to do so what is recorded in my DB is "Tal" - Tal between 2 quotation marks.
My database is an SQL database and so are my scripts.
How this can be solved?
The standard way to do what you want is this.
insert into mytable ( mycolumn ) values ('''Tal''');
The first and last ' are the start and end markers for the string. Each '' within these characters means '. Refer to page 89 of the SQL 92 specification at http://www.andrew.cmu.edu/user/shadow/sql/sql1992.txt
I think escaping is the key to your question. For SQL apostrophes are special characters, thus they have to be escaped by '' (two apostrophes). Have you checked that your scripts do not add the second apostrophe for you? Probably you have to add Tal without the apostrophes.
Escape % seems to be DB dependant. Oracles uses \%, others accespt [%] and some seem to have a keyword ESCAPE. You have read the documentation of your database, look for "escape characters".
Try inserting like this using the backslash \'Tal\'.
I have a simple query but am running into problems using LIKE in VBA. My SQL string in VBA is:
stsql1 = "Select Top 25 data.* from data where data.Description Like ('*') "
When I run this sql string in my VBA code I get no records returned, but if I copy/paste the same string into a query in SQL View in MS Access, the query returns the values I expect. Is there a trick to using the "Like" syntax in VBA?
I can provide additional code and a small version of the database if that would help.
For SQL, the database engine will accept either single or double quotes as text delimiters. So either of these 2 WHERE clauses will work.
WHERE some_field Like '*'
WHERE some_field Like "*"
VBA however only accepts double quotes as text delimiters, so you would have to use the second form.
Two other points about your SELECT statement:
Select Top 25 data.* from data where data.Description Like ('*')
TOP [number] is arbitrary without an ORDER BY clause
You don't need parentheses surrounding your Like pattern ... you can use Like "*"
If your VBA code is using ADO with that SELECT statement, you must change the wild card character from * to % ...
WHERE data.Description Like '%'
In ADO/VBA, you have to use % instead of * as the wildcard. I ran into this a couple times in the past ....
Realize that there are at least 2 (yes two!) LIKE operators here.
One is the LIKE operator of VBA.
The other is the LIKE operator of the SQL of the database you are attached to.
The usual wildcards in SQL are % (for any # of any characters) and _ (for one of any character).
Know also that MS Access can open databases that aren't Access; it could be Microsoft SQL Server, or Oracle or IBM DB2. (BTW, the database that is normal for Access is called Microsoft JET.) You may be sheltered from that truth when you create a Query object in Access - in that circumstance, you are using JET SQL even when it's a linked table you are querying.
However, under VBA, when using either DAO or ADO, you're talking directly to whatever the database system happens to be, in which case you MUST use the SQL of that specific system.
OK, short answer: Use % like cularis said.
I can't add a comment, but I think it would be worth noting that you have to use % even if you are querying MS Access.
(example: Outlook VBA runs query on an Access database. The proper query is select * where user like '%bob%', even though this query would not work if plugged directly into an MS Access query).