Basically trying to use a wildcard SQL to select and fields that hold the data from txtclass in the homework column of the database. But for some reason what i have done is causing an error. (im am using VB.net)
The standard wildcard character is the % not the *. It seems that you have taken this query directly from the designer of MS-Access (and perhaps the * is supported by this database system also from ADO.NET).
However there is a bigger problem
The wildcard should be part of the string to match against the LIKE not outside the single quotes
... LIKE '%" + txtclass.Text + "'))";
Said that you should start immediately to use a parameterized query instead of string concatenation if you want to avoid Sql Injection and parsing problems
Use like=* '%txtClass.text%' instead of like=' &txtClass.text&'
Try your SQL statement as:
SELECT tblQuiz.QuizID, tblQuiz.Classhomework FROM tblQuiz WHERE
tblQuiz.Classhomework LIKE '%' + pupilclass + '%';
Related
I am migrating one project from Oracle 11 to PG 12 and have the following oracle code:
"... like lower(q'$%" +string + "%$') .... "
Could anyone say exact equivalent of this code in PostgreSQL?
This uses Oracles alternative quoting mechanism -- which seems unnecessary. I think this is equivalent:
like lower('%" + string + "%')
That said, you should be passing string in as a parameter rather than munging the query string. That is regardless of database.
I'm using .xsd dataset visual tool to help me build SQL DAL. Unfortunately, the server I'm connecting to is SQL Server 2000. So from VS 2010 the only provider I foud was OLE DB provider. This has some disadvantages. E.g. ? instead of named parameters etc.
I have a problem with querying for text part. Query in designer looks like this:
SELECT * FROM table WHERE nvarcharcolumn1 LIKE '%' + ? + '%'
This works fine from designer, when I insert value for this ? as %. % doesn't work and neither does ''.
But after I use xsd "Preview Data" it doesn't work with any of these values. And when called from C# code it doesn't work either.
How can I use string parameters correctly, when I want to filter by part of string and eventually allow omission of this parameter (one possibility is to create a query for each combination of not-required parameters but it's too much redundant code IMO).
SELECT * FROM table WHERE nvarcharcolumn1 LIKE '%<part of a string you want to search>%'
The way you have the string setup will open you up to SQL-injection. You should really use parameters something like
OleDbCommand cmd = new OleDbCommand( "SELECT * FROM table WHERE nvarcharcolumn1 LIKE ?", yourConnection );
cmd.Parameters.AddWithValue( "QmarkPlaceHolder", "%" + ValueLookingFor + "%" );
then continue execution of your query
I have a simple query but am running into problems using LIKE in VBA. My SQL string in VBA is:
stsql1 = "Select Top 25 data.* from data where data.Description Like ('*') "
When I run this sql string in my VBA code I get no records returned, but if I copy/paste the same string into a query in SQL View in MS Access, the query returns the values I expect. Is there a trick to using the "Like" syntax in VBA?
I can provide additional code and a small version of the database if that would help.
For SQL, the database engine will accept either single or double quotes as text delimiters. So either of these 2 WHERE clauses will work.
WHERE some_field Like '*'
WHERE some_field Like "*"
VBA however only accepts double quotes as text delimiters, so you would have to use the second form.
Two other points about your SELECT statement:
Select Top 25 data.* from data where data.Description Like ('*')
TOP [number] is arbitrary without an ORDER BY clause
You don't need parentheses surrounding your Like pattern ... you can use Like "*"
If your VBA code is using ADO with that SELECT statement, you must change the wild card character from * to % ...
WHERE data.Description Like '%'
In ADO/VBA, you have to use % instead of * as the wildcard. I ran into this a couple times in the past ....
Realize that there are at least 2 (yes two!) LIKE operators here.
One is the LIKE operator of VBA.
The other is the LIKE operator of the SQL of the database you are attached to.
The usual wildcards in SQL are % (for any # of any characters) and _ (for one of any character).
Know also that MS Access can open databases that aren't Access; it could be Microsoft SQL Server, or Oracle or IBM DB2. (BTW, the database that is normal for Access is called Microsoft JET.) You may be sheltered from that truth when you create a Query object in Access - in that circumstance, you are using JET SQL even when it's a linked table you are querying.
However, under VBA, when using either DAO or ADO, you're talking directly to whatever the database system happens to be, in which case you MUST use the SQL of that specific system.
OK, short answer: Use % like cularis said.
I can't add a comment, but I think it would be worth noting that you have to use % even if you are querying MS Access.
(example: Outlook VBA runs query on an Access database. The proper query is select * where user like '%bob%', even though this query would not work if plugged directly into an MS Access query).
I am trying to write an sql query and I am having a problem. When we want to write a query with a where clause to narrow down our results, we can do
... where name = 'John'
(Where name is a column in the table).
Now I am trying to insert a clause like this except the name is "O'Malley". So I thought the query would be
... where name = 'O'Malley'
but this gives me a null pointer exception.
Does anyone know how you could solve this problem?
Thanks for your help in advance.
Your problem is that the single quote in the string "O'Malley" is interpreted by SQL as the string terminator. To escape a single quote, replace it with two single quotes, like this:
where name = 'O''Malley'
Edit: If the string "O'Malley" came from a user input, your code is vulnerable to an SQL injection exploit. To avoid this risk, use a parameterized query.
Use bind variables to avoid thinking about quotation problems.
Bind variables beware of sql injection to.
Depending on the database you could escape the ' I think. Have a look at http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html
If you use two apostrophes together in you search string SQL will realise that it is part of the string and isn't part of the SQL syntax.
where name = 'O''Malley'
This question already has answers here:
How to anticipate and escape single quote ' in oracle
(2 answers)
Closed 7 years ago.
I have a database with names in it such as John Doe etc. Unfortunately some of these names contain quotes like Keiran O'Keefe. Now when I try and search for such names as follows:
SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe'
I (understandably) get an error.
How do I prevent this error from occurring. I am using Oracle and PLSQL.
The escape character is ', so you would need to replace the quote with two quotes.
For example,
SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe'
becomes
SELECT * FROM PEOPLE WHERE SURNAME='O''Keefe'
That said, it's probably incorrect to do this yourself. Your language may have a function to escape strings for use in SQL, but an even better option is to use parameters. Usually this works as follows.
Your SQL command would be :
SELECT * FROM PEOPLE WHERE SURNAME=?
Then, when you execute it, you pass in "O'Keefe" as a parameter.
Because the SQL is parsed before the parameter value is set, there's no way for the parameter value to alter the structure of the SQL (and it's even a little faster if you want to run the same statement several times with different parameters).
I should also point out that, while your example just causes an error, you open youself up to a lot of other problems by not escaping strings appropriately. See http://en.wikipedia.org/wiki/SQL_injection for a good starting point or the following classic xkcd comic.
Oracle 10 solution is
SELECT * FROM PEOPLE WHERE SURNAME=q'{O'Keefe}'
Parameterized queries are your friend, as suggested by Matt.
Command = SELECT * FROM PEOPLE WHERE SURNAME=?
They will protect you from headaches involved with
Strings with quotes
Querying using dates
SQL Injection
Use of parameterized SQL has other benefits, it reduces CPU overhead (as well as other resources) in Oracle by reducing the amount of work Oracle requires in order to parse the statement. If you do not use parameters (we call them bind variables in Oracle) then "select * from foo where bar='cat'" and "select * from foo where bar='dog'" are treated as separate statements, where as "select * from foo where bar=:b1" is the same statement, meaning things like syntax, validity of objects that are referenced etc...do not need to be checked again. There are occasional problems that arise when using bind variables which usually manifests itself in not getting the most efficient SQL execution plan but there are workarounds for this and these problems really depend on the predicates you are using, indexing and data skew.
Input filtering is usually done on the language level rather than database layers.
php and .NET both have their respective libraries for escaping sql statements. Check your language, see waht's available.
If your data are trustable, then you can just do a string replace to add another ' infront of the ' to escape it. Usually that is enough if there isn't any risks that the input is malicious.
I suppose a good question is what language are you using?
In PHP you would do: SELECT * FROM PEOPLE WHERE SURNAME='mysql_escape_string(O'Keefe)'
But since you didn't specify the language I will suggest that you look into a escape string function mysql or otherwise in your language.
To deal quotes if you're using Zend Framework here is the code
$db = Zend_Db_Table_Abstract::getDefaultAdapter();
$db->quoteInto('your_query_here = ?','your_value_here');
for example ;
//SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe' will become
SELECT * FROM PEOPLE WHERE SURNAME='\'O\'Keefe\''
Found in under 30s on Google...
Oracle SQL FAQ