I'm running a SQL query in PowerShell using the SQLCMD, one of the posts shows how to use TAB as a separator. I'd like to have a fancier sequence of characters such as TAB-Comma-Space or Tab-Comma-Tab.
I've tried
-s `"`t,`t`"
-s `"`t`, `"
but it still uses a single Tab as the separator.
Thanks in advance.
Not possible according to the documentation.
-s col_separator
Specifies the column-separator character. The default is a blank space. This option sets the sqlcmd scripting variable SQLCMDCOLSEP. To use characters that have special meaning to the operating system such as the ampersand (&), or semicolon (;), enclose the character in quotation marks ("). The column separator can be any 8-bit character.
You might want to think about using a character like the hat/caret (^) as your delimiter and mass replacing that in the output. Not sure what single character would be least likely to conflict with your dataset.
Related
I'm having an issue figuring out how to ignore signs and variables in a single quote string statement.
I am attempting to update a table with the new text with structure such as:
update xxx
set xxx =
'Our Ref. $BOOKING_NO$
.......
Kind regards'
If your $ chars are being interpreted, it isn't by Oracle ($ isn't special in Oracle anyway, and between single-quotes everything is a string), but rather by your client program or maybe shell script. If, for example, you are running this in SQL*Plus from a Unix-based shell script, you will need to use the appropriate means required by the shell you use to prevent the shell from interpreting $ and ' characters.
I am working on macOS, not iOS, XCode 11.
My app allows in a specific location to enter text. This text can be anything. Once done it exports a csv which will be passed to an external process i cannot influence.
The issue: the external process uses semicolon ";" as a separator (csv is separated differently). If the user writes semicolon the external process will fail.
If I manually add an escaping backslash before each semicolon to the csv and then pass it to the external app it works.
What I need: having each semicolon escaped with ONE backslash in the final csv
What I tried
Escaping the whole text with quotation marks - fail
Escaping semicolons in objective-c before writing csv by trying
stringByReplacingOccurrencesOfString (look for #";" replace with #"\;" - compiler throws a warning that escape character is unknown - fail
Appreciate any help
UPDATE:
I also tried to set a double backslash like #Corbell mentioned but this leads in a double backslash in the exported CSV -> fail
I also tried to set a single backslash by using its unicode character:
[NSString stringWithFormat:#"%C;",0x5C]; --> "\\;"
Also failed and produces two backslashes in the final CSV (where i need ONE only).
In your stringByReplacingOccurencesOfString call, second parameter, try escaping your backslash with a backslash to make it a literal character to insert, i.e. #"\\;" - otherwise the compiler thinks you're trying to specify #"\;" as an escape sequence (backslash-semicolon) which is invalid.
Solved. It was the CSV Parser that added additional escaping characters. Once solved that it worked like a charm.
To prevent SQL injection attack, the book "Building Scalable Web Sites" has a function to replace regular expression characters with escaped version:
function db_escape_str_rlike($string) {
preg_replace("/([().\[\]*^\$])/", '\\\$1', $string);
}
Does this function escape ( ) . [ ] * ^ $? Why are only those characters escaped in SQL?
I found an excerpt from the book you mention, and found that the function is not for escaping to protect against SQL injection vulnerabilities. I assumed it was, and temporarily answered your question with that in mind. I think other commenters are making the same assumption.
The function is actually about escaping characters that you want to use in regular expressions. There are several characters that have special meaning in regular expressions, so if you want to search for those literal characters, you need to escape them (precede with a backslash).
This has little to do with SQL. You would need to escape the same characters if you wanted to search for them literally using grep, sed, perl, vim, or any other program that uses regular expression searches.
Unfortunately, active characters in sql databases is an open issue. Each database vendor uses their own (mainly oracle's mysql, that uses \ escape sequences)
The official SQL way to escape a ', which is the string delimiter used for values is to double the ', as in ''.
That should be the only way to ensure transparency in SQL statements, and the only way to introduce a proper ' into a string. As soon as any vendor admits \' as a synonim of a quote, you are open to support all the extra escape sequences to delimit strings. Suppose you have:
'Mac O''Connor' (should go into "Mac O'Connor" string)
and assume the only way to escape a ' is that... then you have to check the next char when you see a ' for a '' sequence and:
you get '' that you change into '.
you get another, and you terminate the string literal and process the char as the first of the next token.
But if you admit \ as escape also, then you have to check for \' and for \\', and \\\' (this last one should be converted to \' on input) etc. You can run into trouble if you don't detect special cases as
\'' (should the '' be processed as SQL mandates, or the first \' is escaping the first ' and the second is the string end quote?)
\\'' (should the \\ be converted into a single \ then the ' should be the string terminator, or do we have to switch to SQL way of encoding and consider '' as a single quote?)
etc.
You have to check your database documentation to see if \ as escape characters affect only the encoding of special characters (like control characters or the like) and also affects the interpretation of the quote character or simply doesn't, and you have to escape ' the other way.
That is the reason for the vendors to include functions to do the escape/unescape of character literals into values to be embedded in a SQL statement. The idea of the attackers is to include (if you don't properly do) escape sequences into the data they post to you to see if that allows them to modify the text of the sql command to simply add a semicolon ; and write a complete sql statement that allows them to access freely your database.
i have a problem in inserting the listbox value into mysql database in vb 2008 i.e
if i select a video file i.e D:\videos\video1.mpg and add a msgbox() event before inserting into data base it shows the exact path i.e D:\videos\video1.mpg but when i check my database it shows me as D:videosvideo1.mpg how can i solve that
Within MySQL string values the backslash is interpreted as an escape character. The following escape sequences have special meaning to MySQL: \0, \', \", \b, \n, \r, \t, \z, \, \%, \_. Any other character preceeded by a backslash is just replaced with that character. So in your example: \v is not a valid escape sequence so it is replaced with just "v" when it is stored. You should alter your path values to contain the "\" sequence to actually store a backslash. Example: D:\\videos\\video1.mpg
try to insert path with two backslash signs, for example "D:\\videos\\video1.mpg" into database.
I need a complete list of characters that should be escaped in sql string parameters to prevent exceptions. I assume that I need to replace all the offending characters with the escaped version before I pass it to my ObjectDataSource filter parameter.
No, the ObjectDataSource will handle all the escaping for you. Any parametrized query will also require no escaping.
As others have pointed out, in 99% of the cases where someone thinks they need to ask this question, they are doing it wrong. Parameterization is the way to go. If you really need to escape yourself, try to find out if your DB access library offers a function for this (for example, MySQL has mysql_real_escape_string).
SQL Books online:
Search for String Literals:
String Literals
A string literal consists of zero or more characters surrounded by quotation marks. If a string contains quotation marks, these must be escaped in order for the expression to parse. Any two-byte character except \x0000 is permitted in a string, because the \x0000 character is the null terminator of a string.
Strings can include other characters that require an escape sequence. The following table lists escape sequences for string literals.
\a
Alert
\b
Backspace
\f
Form feed
\n
New line
\r
Carriage return
\t
Horizontal tab
\v
Vertical tab
\"
Quotation mark
\
Backslash
\xhhhh
Unicode character in hexadecimal notation
Here's a way I used to get rid of apostrophes. You could do the same thing with other offending characters that you run into. (example in VB.Net)
Dim companyFilter = Trim(Me.ddCompany.SelectedValue)
If (Me.ddCompany.SelectedIndex > 0) Then
filterString += String.Format("LegalName like '{0}'", companyFilter.Replace("'", "''"))
End If
Me.objectDataSource.FilterExpression = filterString
Me.displayGrid.DataBind()