Oracle SQL - Escape ampersand in field name [duplicate] - sql

This question already has answers here:
How to escape ampersand in TOAD?
(3 answers)
Closed 3 years ago.
I've seen a bunch of related posts, but none yet that resolve my specific question.
In Oracle SQL I need to do something like this:
SELECT field1 "Eggs&Cheese"
FROM table1;
But it reads the &Cheese and wants to do parameter substitution. I just want the field name to be Eggs&Cheese
I saw this post Escape ampersand with SQL Server, but Oracle does not like the bracket [] syntax.
And also Escaping ampersand character in SQL string, but that is escaping the ampersand in a value string, not a label string.

The substitution is related to tool you are using and has nothing to do with column alias.
db<>fiddle demo
Depending on the tool you could disable it like "set define off".
Related: Set define off not working in Oracle SQL Developer & How to escape ampersand in TOAD?

You have to set the escape. Works in Oracle SQL Developer.
set escape \
SELECT field1 "Eggs\&Cheese" FROM table1;
After your work is done you can set it off.
set escape off

Related

Select Stored procedure query [duplicate]

This question already has answers here:
SQL Server LIKE containing bracket characters
(3 answers)
Closed 10 months ago.
I am trying to select certain stored procedures within my database.
What I want is all stored procedures that start with Get_ but I cannot get proper results. It seems to ignore the _ for some reason. Running SQL Server 2019 developer version.
Here is my code:
select *
from information_schema.routines
where routine_type = 'PROCEDURE' and specific_name like 'Get_%'
The underscore _ character is a wildcard in SQL Server t-sql. Use LIKE 'Get[_]%' to explictly match an actual underscore in the string.
From the documentation - "[ ] (Wildcard - Character(s) to Match)":
Matches any single character within the specified range or set that is
specified between brackets [ ]. These wildcard characters can be used
in string comparisons that involve pattern matching, such as LIKE and
PATINDEX.

SQL select statement has problem with column name [duplicate]

This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I am working on a project where another developer created a table with column names like 'Business Name'. That is a space between two words. If I run a SELECT statement with 'Business Name' it says there is no column with name 'Business'.
How can I solve this problem?
Generally the first step is to not do that in the first place, but if this is already done, then you need to resort to properly quoting your column names:
SELECT `Business Name` FROM annoying_table
Usually these sorts of things are created by people who have used something like Microsoft Access and always use a GUI to do their thing.
If double quotes does not work , try including the string within square brackets.
For eg:
SELECT "Business Name","Other Name" FROM your_Table
can be changed as
SELECT [Business Name],[Other Name] FROM your_Table
You need to use backtick instead of single quotes:
Single quote - 'Business Name' - Wrong
Backtick - `Business Name` - Correct
To each his own but the right way to code this is to rename the columns inserting underscore so there are no gaps. This will ensure zero errors when coding. When printing the column names for public display you could search-and-replace to replace the underscore with a space.
I got here with an MS Access problem.
Backticks are good for MySQL, but they create weird errors, like "Invalid Query Name: Query1" in MS Access, for MS Access only, use square brackets:
It should look like this
SELECT Customer.[Customer ID], Customer.[Full Name] ...
I think double quotes works too:
SELECT "Business Name","Other Name" FROM your_Table
But I only tested on SQL Server NOT mySQL in case someone work with MS SQL Server.

Escaping single quote on SQL injection [duplicate]

This question already has answers here:
How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?
(6 answers)
Closed 3 years ago.
Hello I am going through some SQL injection examples and I have the following scenario:
In this example, aware of the risk of SQL injection, the developer decided to block single quotes ' by removing any single quote ' in the query. However, there is still a way to break out of the SQL syntax and inject arbitrary SQL.
To do so, you need to think of the query:
SELECT * FROM users WHERE username='[username]' and password='[password]'
The problem here is that you cannot, in theory, break out of the single quotes ' since you cannot inject any quote. However, if you inject a back-slash \, the second ' in the query (the one supposed to finish the string [username] will be escaped and will be closed by the third one (the one supposed to start the string [password].
Doesn't this mean that if I input a "\" on the username field it will automatically break the query? and look something like
SELECT * FROM users WHERE username='[username] and password=' ..
Am I missing something ? Should I provide the backslash in another way?
Ok I have found the answer:
The username should be : \
and password : or 1#
Then the query will look something like this
SELECT * FROM users WHERE username = '\' AND password=' or 1#

What does the “&” symbol do in SQL?

What does the “&” symbol do?
select *
from emp
where ename like '&A%';
I infer you are using Oracle RDBMS since EMP.ENAME is from one of the example schemas from Oracle. In Oracle the ampersand "&" can be used as a substitution variable in SQL*Plus (client). See http://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables.php#substitution_variables.
99% of the time, you are probably not doing substitution and want a literal ampersand. Such as INSERT INTO sometable VALUES ('Black & Decker'); So you would disable substitution first in SQL*Plus with SET DEFINE OFF.
It doesn't do or mean anything special in SQL string literal. It is just stands for itself; i.e. the ampersand character. So like '&A%' means a string that starts with '&A'.
Apparently (Joshua's answer), the ampersand can have special meaning in Oracle SQLPlus. But that isn't SQL. It is a different language that has SQL syntax embedded in it.

how to write a word to a database that is between 2 Apostrophes?

I have a table in my database of type nvarchar(50);
I want to write to that specific column that string 'Tal' - Tal between 2 apostrophes.
When I'm trying to do so what is recorded in my DB is "Tal" - Tal between 2 quotation marks.
My database is an SQL database and so are my scripts.
How this can be solved?
The standard way to do what you want is this.
insert into mytable ( mycolumn ) values ('''Tal''');
The first and last ' are the start and end markers for the string. Each '' within these characters means '. Refer to page 89 of the SQL 92 specification at http://www.andrew.cmu.edu/user/shadow/sql/sql1992.txt
I think escaping is the key to your question. For SQL apostrophes are special characters, thus they have to be escaped by '' (two apostrophes). Have you checked that your scripts do not add the second apostrophe for you? Probably you have to add Tal without the apostrophes.
Escape % seems to be DB dependant. Oracles uses \%, others accespt [%] and some seem to have a keyword ESCAPE. You have read the documentation of your database, look for "escape characters".
Try inserting like this using the backslash \'Tal\'.