I have a table in which one of the fields contains the string 302720"?.
When I try to do a substring of that string, it returns an error. I understand that it is because of the double quotes within the string.
I tried replacing the quotation with REGEXP_REPLACE, even that didn't work.
Below is the SQL statement:
SELECT SUBSTR("302720"?", 0, 3)
Any comments regarding this would be appreciated.
Please see below for an example. You didn't list the DBMS, so I assumed SQL Server.
Code
CREATE TABLE SUBSTR_TEST(STRING VARCHAR(50) NOT NULL)
INSERT INTO SUBSTR_TEST
VALUES('302720"?')
SELECT * FROM SUBSTR_TEST
SELECT SUBSTRING(REPLACE(STRING,'"',''),0,3) AS STRING FROM SUBSTR_TEST
Result
If you're doing this by hand, either use different quotes...
SELECT SUBSTR('302720"?', 0, 3)
Or you can escape the quote. You can do this by doubling the quote:
SELECT SUBSTR("302720""?", 0, 3)
Or you can use the traditional \ escape character.
SELECT SUBSTR("302720\"?", 0, 3)
If you're doing this in a program, use a prepared statement with bind parameters. This avoids having to deal with escapes as well of avoiding a host of security problems. The specifics differ by language, but it's usually something like this:
handle = connection.prepare("SELECT SUBSTR(?, ?, ?)");
handle.execute('302720"?', 0, 3)
result = handle.fetch
It's analogous to passing variables into a function.
Related
I have a query in SQL Server and have values like that is enclosed in the quote. I am trying to filter the value which has CC_ somewhere in the string. In the query when I try to filter the values using %CC_%, it is still returning the values though it is not present in the string.
with a as (
Select '#IDESC("Account"),#IDESC("Period"),#IDESC("View"),#IDESC("Scenario"),#IDESC("Version"),#IDESC("Years"),#IDESC("Currency"),#IDESC("Product"),#IDESC("FX View"),#IDESC("Data_Type"),#IDESC("Entity"),#IDESC("Function"),#IDESC("Market"),#IDESC("Business_Unit"),#IDESC("Reporting_Unit")'
as val)
select * from a where val like '%CC_%'
Can experts please help?
To match literal underscore in a SQL Server LIKE expression, you may place it into square brackets:
SELECT * FROM a WHERE val LIKE '%CC[_]%';
Underscore _ in a LIKE expression literally means any single character, and % means zero or more characters.
I wrote the database schema (only one table so far), and the INSERT statements for that table in one file. Then I created the database as follows:
$ sqlite3 newdatabase.db
SQLite version 3.4.0
Enter ".help" for instructions
sqlite> .read ./schema.sql
SQL error near line 16: near "s": syntax error
Line 16 of my file looks something like this:
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there\'s');
The problem is the escape character for a single quote. I also tried double escaping the single quote (using \\\' instead of \'), but that didn't work either. What am I doing wrong?
Try doubling up the single quotes (many databases expect it that way), so it would be :
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there''s');
Relevant quote from the documentation:
A string constant is formed by enclosing the string in single quotes ('). A single quote within the string can be encoded by putting two single quotes in a row - as in Pascal. C-style escapes using the backslash character are not supported because they are not standard SQL. BLOB literals are string literals containing hexadecimal data and preceded by a single "x" or "X" character. ... A literal value can also be the token "NULL".
I believe you'd want to escape by doubling the single quote:
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there''s');
for replace all (') in your string, use
.replace(/\'/g,"''")
example:
sample = "St. Mary's and St. John's";
escapedSample = sample.replace(/\'/g,"''")
Just in case if you have a loop or a json string that need to insert in the database. Try to replace the string with a single quote . here is my solution. example if you have a string that contain's a single quote.
String mystring = "Sample's";
String myfinalstring = mystring.replace("'","''");
String query = "INSERT INTO "+table name+" ("+field1+") values ('"+myfinalstring+"')";
this works for me in c# and java
In C# you can use the following to replace the single quote with a double quote:
string sample = "St. Mary's";
string escapedSample = sample.Replace("'", "''");
And the output will be:
"St. Mary''s"
And, if you are working with Sqlite directly; you can work with object instead of string and catch special things like DBNull:
private static string MySqlEscape(Object usString)
{
if (usString is DBNull)
{
return "";
}
string sample = Convert.ToString(usString);
return sample.Replace("'", "''");
}
In bash scripts, I found that escaping double quotes around the value was necessary for values that could be null or contained characters that require escaping (like hyphens).
In this example, columnA's value could be null or contain hyphens.:
sqlite3 $db_name "insert into foo values (\"$columnA\", $columnB)";
Demonstration of single quoted string behavior where complexity or double quotes are not desired.
Test:
SELECT replace('SAMY''S','''''','''');
Output:
SAMY'S
SQLite version:
SELECT sqlite_version();
Output:
3.36.0
In a PGSQL query one might use double-quotes to escape a column or table name that happens to be a reserved word, like so
select "name" from sometable;
This is often combined with C#, and the escaping must itself be escaped.
string sql = "select \"name\" from sometable;";
However, there is another C# trick that I would like to use to allow line breaks in my SQL for legibility, like so:
string sql = #"
select
foo
from
sometable;";
And here we come unglued: you can't use backslashes to escape double-quotes in a string in which backslashes and linebreaks are treated as literals.
Generally I exploit the fact that dot notation makes the escaping unnecessary.
string sql = #"
select
x.name
from
sometable as x;";
But what of tables with reserved words for names?
string sql = #"
select
foo
from
user;";
Putting aside my burning desire to thump the person who keeps using reserved words for column and table names, I ask for alternate syntax. I tried the widely used square bracket syntax.
string sql = #"
select
foo
from
[user];";
But PGSQL seems to be unhelpful there.
I did find a workaround: dot notation again.
string sql = #"
select
foo
from
public.user;";
But the question stands: alternate notation?
There is no alternative to double quotes for quoting identifiers. You will have to pay the price for the bad design choice of choosing identifiers that are not standard compliant.
I have a where clause that uses a string,
Where
pm.Alias = 'Toys'R'Us France'
However part of the string uses single quotation marks, 'R'
How do i wrap up the whole string to pass through into my Where clause
I cannot use:
Where
pm.Alias = 'Toys''R''Us France'
As i need the whole string encased, as i will use this in Excel to pass this as a paramter into my query
in SQL, if you want to have Single Quotes inside a string, then you should specify it as 2 consecutive single quotes for every single quote in your string. So
Where
pm.Alias = 'Toys'R'Us France'
should be written as
Where
pm.Alias = 'Toys''R''Us France'
You might try using extra quotes after and before the existing quotes.
In this case add quote before and after 'R', and the query will be like below.
Where
pm.Alias = 'Toys''R''Us France'
I recently face this issue in my sqlite database, you can resolve using like this.
Where
pm.Alias = "Toys'R'Us France"
use double quote (") instead of single quote (') after equal sign.
I have postgres function in which i am appending values in query such that i have,
DECLARE
clause text = '';
after appending i have some thing like,
clause = "and name='john' and age='24' and location ='New York';"
I append above in where clause of the query i already have. While executing query i am getting "and" just after "where" result in error
How to use regex_replace so that i remove the first "and" from clause before appending it to the query ?
Instead of fixing clause after the fact, you could avoid the problem by using
concat_ws (concatenate with separator):
clause = concat_ws(' and ', "name='john'", "age='24'", "location ='New York'")
will make clause equal to
"name='john' and age='24' and location ='New York'"
This can be even simpler. Use right() with a negative offset.
Truncates the first n characters and you don't need to specify the length of the string. Faster, simpler.
Double quotes (") are for identifiers in Postgres (and standard SQL) and incorrect in your example. Enclose string literals in single quotes (') and escape single quotes within - or use dollar quoting:
Insert text with single quotes in PostgreSQL
Since this is a plpgsql assignment, use the proper assignment operator :=. The SQL assignment operator = is tolerated, too, but can lead to ambiguity in corner cases.
Finally, you can assign a variable in plpgsql at declaration time. Assignments in plpgsql are still cheap but more expensive than in other programming languages.
DECLARE
clause text := right($$and name='john' and age='24' ... $$, -5)
All that said, it seems like you are trying to work with dynamic SQL and starting off on the wrong foot here. If those values can change, rather supply them as values with the USING clause of EXECUTE and be wary of SQL injection. Read some of the related questions and answers on the matter:
https://stackoverflow.com/search?q=[plpgsql]+[dynamic-sql]+EXECUTE+USING
You do not need regex:
clause = substr(clause, 5, 10000);
clause = substr(clause, 5, length(clause)- 4); -- version for formalists
concat_ws sounds like the best option, but as a general solution for things like this (or any sort of list with a delimiter) you can use logic like (pseudocode):
delim = '';
while (more appendages)
clause = delim + nextAppendage;
delim = ' AND ';
If you want to do it with regular expression try this:
result = regexp_replace(clause, '^and ', '')