I have 3 sql tables customer, employee and manager. I want to access dynamically to my tables. I had a statement like this,
"update customer set AMOUNT where ID= ?"
But in this situation i can only access to customer. I need to access all of the tables for different operations. Is that possible to write this,
"update ? set AMOUNT where ID=?"
or what can i do to access for example employee for a different class.
The parameters can be used only in the place where you could otherwise use a literal value, like a quoted string or a numeric value.
Parameters cannot be used for identifiers like table names. Nor expressions. Nor SQL keywords.
All those other parts of the query must be fixed in the SQL query string before you prepare the query.
To query other tables, you just have concatenate the table name into the string.
String query = "update " + tableName + " set amount where ID=?";
It's up to you to make sure your variable tableName in fact only contains one of your table names. A good way to do this is to compare it to a list of known table names, and if it isn't in the list, throw an exception.
Related
I have a column in my database table named UID. For some reason queries fail unless I surround the column name with double quotation marks (" "). None of the other columns require these quotation marks.
For example, this doesn't work:
SELECT user_name FROM user_table WHERE UID = '...'
But this does:
SELECT user_name FROM user_table WHERE "UID" = '...'
Is UID some kind of keyword? Why is it only happening to that column? How do I know if I need to use double quotes for other columns?
By the way, I'm running JDK 1.8_221 and using an oracle JDBC driver if that makes a difference.
Yes, it is about keywords. You can double quote everything (tables, columns) to avoid this but I can understand you don't want to do this.
To have a list of standard keywords: SQL Keywords
But you can see UID is not in this list as I assume it is a reserved keyword by your database implementation. I had the same problem with a table called "order" as it contains orders. ORDER is a keyword so I had to quote it each time.
So best is to test your statements using a SQL client tool.
Since you mention Oracle: Oracle keywords: "You can obtain a list of keywords by querying the V$RESERVED_WORDS data dictionary view."
If your create table command for user_table looks something like this:
create table user_table ("UID" varchar2(10))
then you will have to use quotes around UID in your query. This query:
select * from user_table where UID = 'somestring'
means to use the Oracle predefined UID pseudo column and your table's UID column will not be accessed.
If your table doesn't have a user-defined UID column, then using "UID" should fail.
My guess is your table does indeed have a UID column and when you say it "doesn't work" without using the quotes you probably mean it motivates an ORA-1722.
The type of failure, when using UID without quotes, depends on the content of the string 'somestring'. If the content of that string can be cast as a number then you probably won't get the rows you expect. If it cannot be cast as a number then you'll get an ORA-1722.
As an aside, if you try to execute this, then you'll get an ORA-904:
create table user_table (UID number)
Yes, it is keywords and return
UID returns an integer that uniquely identifies the session user (the
user who logged on).
By default, Oracle identifiers (table names, column names, etc.) are case-insensitive. You can make them case-sensitive by using quotes around them when creating them (eg: SELECT * FROM "My_Table" WHERE "my_field" = 1). SQL keywords (SELECT, WHERE, JOIN, etc.) are always case-insensitive.
You can use it for more information here.
I'm new in regular expression, and would like to ask help with the problem I have. I had a form, and it has drop down field where user can select one or more values, so the value for that drop down can be Faculty of Arts (if user chose one option) or Faculty of Arts, Faculty of Medicine (if user chose these two from the drop down).
Now, I want to convert this value, so that I can use it to filter my query. I will use this / these value(s) in WHERE clause. In this case, I have to reformat this value to "Faculty of Arts", "Faculty of Medicine", so it will fit in this statement:
SELECT * FROM myTable WHERE t_faculty IN ("Faculty of Arts", "Faculty of Medicine")
A friend of mine suggested me to try regular expression embedded in this SQL statement (I'm using SQL Server for the database). Do you have any idea on how to parse, and embed it in the SQL statement? Basically I need to add " characters in the beginning and end of the string, and replace the ,[space] with ",[space]" to get the wanted result.
Thank you!
Agus
You can split a comma-delimited string within SQL using STRING_SPLIT.
select * from myTable
where t_faculty in (
select value from string_split('Faculty of Arts, Faculty of Medicine', ',')
)
STRING_SPLIT returns a table of string values that are separated by the delimiter in the input string.
Otherwise you can use several pattern matching functions:
LIKE
PATINDEX
An SQL CLR (e.g.: C#) function that does expression matching. See SQL Server Regex.
You may also choose to simply split the string in your app. Then build the appropriate SQL command (or use something like Contains in linq).
You are not clear how you are passing those strings to SQL Server.
And SQL Server delimits strings with single quotes, i.e apostrophes not double quotes.
In whatever client-side code you have access to, simply concatenate the selected strings with apostrophes.
So if a user picks Faculty of Arts and Faculty of Medicine then you can join it all into one long string like
"'" & <selected option> & "'" & ",'" & <selected option> & "'"
You don't use regular expressions here to change the highlighted part of your SQL code :
SELECT FROM myTable WHERE t_faculty IN **("Faculty of Arts", "Faculty of Medicine")
I think your understanding about the way we use Regular Expressions could be wrong. You generally use regular expressions when you are trying to match with strings in your database which share some common properties. For instance if you have two rows with the fields "Faculty of Arts 1" and "Faculty of Arts 2". And you are trying to look up all the rows which have "Faculty of Arts" in general, then you could write it as SELECT * FROM myTABLE WHERE t_faculty LIKE 'Faculty of Arts*' where * would match anything after the text.
Instead of t_faculty IN (value1,value2), you will write something like t_faculty LIKE 'your regular_expression here'.
I have a script in ASP Classic that uses a Firebird database. I would like to execute a query without "quotation marks"
Now I must write this:
SQL = "SELECT ""TArticoli"".""IDArticolo"",""TArticoli"".""Desc"" FROM ""TArticoli"";"
I would write this:
SQL = "SELECT TArticles.IDArticle, TArticles.Desc FROM TArticles;"
The first one is accepted the second not, how can I do this?
You can't. DESC is a reserved word in Firebird, so to be able to use it as a column name (or any other object name for that matter), you will need to enclose it in quotes.
A second problem is that you are currently using
SELECT "TArticoli"."IDArticolo","TArticoli"."Desc" FROM "TArticoli"
And this means both your table name and the column names are case sensitive, and in that case, quoting those object names is mandatory. Unquoted object names are case insensitive, but are mapped to object names in upper case. This means that select * from TArticoli will select from a table called TARTICOLI, while select * from "TArticoli", selects from a table called TArticoli.
So unless you are going to rename or recreate all your tables or columns, you will not be able to get rid of quotes. The only thing you can do to reduce the number of quotes, is by not prefixing the columns with the table names (in the query shown it isn't necessary), or otherwise use a case insensitive alias for the table, eg
SELECT "IDArticolo", "Desc" FROM "TArticoli"
or
SELECT a."IDArticolo", a."Desc" FROM "TArticoli" AS a
In my SQL table, I have a column named "user_id" with comma separated value like this: a,b,c,d and I just wonder how can I update this column without removing old values. I want to update this column to a,b,c,d,e and in other step to a,b,c,d,e,f.
I wrote this query, but it removes old values and does not not update values with comma separated list:
UPDATE multiusers SET user_id = '" . $userID . "' WHERE hwid = '" . $hwid."'
If you want to update a column and append a value just do :-
UPDATE multiusers
SET user_id = user_id + "new user"
WHERE hwid = $hwid
This just appends a value to the existing value in SQL SERVER db at least, other databases may have different concatenation methods. I think your questions points to a fundamental design issue in your database and I would suggest rethinking this.
You are treating a field as a table. Even when you can do, it's a very bad approach. You should have as many records on multiusers table as userid's you have. But if you insist in your approach then you will have to create a quite complex query to retrieve the value of userid field, move to an array and compare it with the new value to make sure you doesn't insert duplicates in the field. Something like a cursor may work for you.
Is there a way to be prompted before you a run an SQL query in Access, to enter in the table name that you wish to query? For example, lets say the columns will always stay constant. The columns could be called "Fruit" and "Date." But, the table name could change depending on the batch number. Ie. table name could be "BatchNO_1" or "BatchNO_2" or "BatchNO_3" etc. So Lets say i have an SQL like:
select Fruit, Date from BatchNO_1 where Fruit = "Apples"
Is there a way that I can be prompted to enter in the table name and have the SQL use the table name i enter to perform the query?
No. The table name cannot be passed as parameter to a query. You will have to construct the query yourself.
Dim tableName as String, sql As String
tableName = InputBox("Please enter the table name")
If tableName <> "" Then
sql = "SELECT Fruit, Date FROM [" & tableName & "] WHERE Fruit = 'Apples'"
'TODO: execute the query here
End If
For instance, you could change the query text of an existing query like this:
CurrentDb.QueryDefs("myQuery").SQL = sql
Or you could execute the query like this
Dim db As DAO.Database, rs As DAO.Recordset
Set db = CurrentDb
Set rs = db.OpenRecordset(sql)
Do Until rs.EOF
Debug.Print rs!Fruit & " " & rs!Date
rs.MoveNext
Loop
rs.Close: Set rs = Nothing
db.Close: set db = Nothing
By putting the batch number in the table name instead of as a column, you are encoding data in the schema. This is not best practice, so in my opinion, the correct answer is to change your database design.
Make a single Batch table with all the columns from your current BatchNo tables, but add a column named BatchNo as part of the primary key. Load all the data from your BatchNo tables into this one, and then delete those tables. Then your query will straightforwardly look like this:
SELECT Fruit, Date
FROM Batch
WHERE
Fruit = "Apples"
AND BatchNo = [Enter Batch No];
Don't put data in table names. That is not the way databases are supposed to be made.
Just to explain a little bit, the reason that your current design violates best practice is due to exactly the problem you are facing now--the shenanigans and weird things you have to do to work with such a design and try to perform operations in a reasonable, data-driven, way.
By having the user enter the table name, you also create the danger of SQL injection if you aren't also careful to compare the user-provided table name to a whitelist of allowed table names. While this may not be such a big deal in Access, it is still heading down the wrong path and is training for something else besides professional database work. If you would ever like to grow your career, it would be regrettable to first have to unlearn a bunch of stuff before you could even start with a "clean slate" to learn the right way to do things.