I'm trying to update SQL data but it contains ' so I get errors.
The SQL statement looks like this:
UPDATE SystemConfiguration
SET HeaderScript = '<script> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],'
WHERE ID = 1
I tried to replace the quote with " but I get error. I also tried without quote I get error as well.
Any suggestions.
You need to double the single quotes to escape them:
UPDATE SystemConfiguration
SET HeaderScript = '<script> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({''gtm.start'': new Date().getTime(),event:''gtm.js''});var f=d.getElementsByTagName(s)[0],'
WHERE ID = 1
Related
I am trying to create an sql query that adds a string to the end of the cell. Right now I have this.
$sql = "UPDATE table SET $column1= $column1 + $newstring1, $column2 = $column2 + $newstring2, $column3 = $column3 + $newstring3, WHERE username = $user_username";
The values of $newstring1, $newstring2, and $newstring3 are formatted like "155:2,"
The idea is to add delimiters to each entry so I can easily sort them later. Right now I'm getting a syntax error on my query, but I'm new to php. Is the error because when the database is empty, there is no original variable and therefore I need to INSERT INTO instead of UPDATE, or is the comma in the string itself creating the error and do I need to somehow concatenate it?
I'm more used to C# than PHP so I'm not sure the proper way to format that type of query.
I'm doing an update but the value has ' and " quotes,
How do I proceed?
This is how my query looks like
Update Users
set info = '[user{"LinkAction('togglemore', 'companies','jobs')","IsVisible":true}]'
where user like '%admin%'
How do i make the SET to consider everything in the ' single quote '
You can use two single quote ''
Update Users
set info = '[user{"LinkAction(''togglemore'', ''companies'',''jobs'')","IsVisible":true}]'
where user like '%admin%'
sqlfiddle : http://sqlfiddle.com/#!18/402e8/1
Is there a specified behavior for updating the same column 2+ times in the same UPDATE query, as follows?
UPDATE tbl SET a = 5, b = 'something', a = 6 WHERE c = 'whatever';
Is there a standardized behavior for this, or might it vary between flavors of SQL (e.g. it is "undefined behavior")? A cursory test with sqlite seems to indicate they are executed left-to-right, so the last column value will be the resulting one, but that doesn't imply that will always be the case.
Edit: The reason I'm trying to do this is I'm testing some SQL injection for a class project. One of the fields in an UPDATE is unsafely injected, and I'm trying to use it to overwrite previously SET fields from the same query.
This isn't exactly the answer you're looking for but assuming that the text "something" is a field you are passing in and it isn't parameterized or escaped you may be able to do this. This all depends on how the query is being built and what database it is being run against.
UPDATE tbl SET a = 5, b = 'something'; UPDATE tbl set a = 6;--' WHERE c = 'whatever';
by entering the following in the user input
something'; UPDATE tbl set a = 6;--
This assumes that the query is built dynamically something like this
var query = "UPDATE tbl set a = 5, b = '" + userInput + "' WHERE c = 'whatever'";
Here is a relevant question: How does the SQL injection from the "Bobby Tables" XKCD comic work?
I'm attempting to execute this SQL Update statement and it's not working. Does anyone know why ?
update dbo.EBSTable
set CommandField = replace(CommandField, '%APPL.mbm_aging_file', '%APPL.mbm_aging_file)')
where Command like '[%]APPL.mbm_aging_file'
Basically, I'm just trying to add a ")" to the end of the data appearing in the CommandField field where the value is %APPL.mbm_aging_file (The "%" actually appears in the data).
I discovered my where clause was inadequate (like me with SQL). It should read
update dbo.EBSTable set CommandField = replace(CommandField, '%APPL.mbm_aging_file', '%APPL.mbm_aging_file)') where Command like '%[%]APPL.mbm_aging_file%'
That statement worked.
update dbo.EBSTable
set CommandField = '%APPL.mbm_aging_file' + ')' -- or set CommandField = '%APPL.mbm_aging_file)'
where Command = '%APPL.mbm_aging_file'
You can do this, as you only need to add ) at the end only for this specific case.
I want to insert a record using SQL and one of the fields needs to contain a carriage return, e.g.
Notes field:
Line 1
Line 2
End line
How would I code this SQL statement using VB
When you build the insert statement, you store it in a string somewhere. Add an escaped newline character into the string wherever you want the carrage returns to be.
A simple way to do that in VB would be:
Sql = Sql & vbCrLf
Using SQL code:
UPDATE MyTable
SET MyCol = MyCol + CHAR(13) + CHAR(10);