Can't get update statement in SQL Server to work - sql

I'm attempting to execute this SQL Update statement and it's not working. Does anyone know why ?
update dbo.EBSTable
set CommandField = replace(CommandField, '%APPL.mbm_aging_file', '%APPL.mbm_aging_file)')
where Command like '[%]APPL.mbm_aging_file'
Basically, I'm just trying to add a ")" to the end of the data appearing in the CommandField field where the value is %APPL.mbm_aging_file (The "%" actually appears in the data).

I discovered my where clause was inadequate (like me with SQL). It should read
update dbo.EBSTable set CommandField = replace(CommandField, '%APPL.mbm_aging_file', '%APPL.mbm_aging_file)') where Command like '%[%]APPL.mbm_aging_file%'
That statement worked.

update dbo.EBSTable
set CommandField = '%APPL.mbm_aging_file' + ')' -- or set CommandField = '%APPL.mbm_aging_file)'
where Command = '%APPL.mbm_aging_file'
You can do this, as you only need to add ) at the end only for this specific case.

Related

Update SQL data but the data contains ' so I get errors

I'm trying to update SQL data but it contains ' so I get errors.
The SQL statement looks like this:
UPDATE SystemConfiguration
SET HeaderScript = '<script> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],'
WHERE ID = 1
I tried to replace the quote with " but I get error. I also tried without quote I get error as well.
Any suggestions.
You need to double the single quotes to escape them:
UPDATE SystemConfiguration
SET HeaderScript = '<script> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({''gtm.start'': new Date().getTime(),event:''gtm.js''});var f=d.getElementsByTagName(s)[0],'
WHERE ID = 1

How to add to the end of text column through sql?

I am trying to create an sql query that adds a string to the end of the cell. Right now I have this.
$sql = "UPDATE table SET $column1= $column1 + $newstring1, $column2 = $column2 + $newstring2, $column3 = $column3 + $newstring3, WHERE username = $user_username";
The values of $newstring1, $newstring2, and $newstring3 are formatted like "155:2,"
The idea is to add delimiters to each entry so I can easily sort them later. Right now I'm getting a syntax error on my query, but I'm new to php. Is the error because when the database is empty, there is no original variable and therefore I need to INSERT INTO instead of UPDATE, or is the comma in the string itself creating the error and do I need to somehow concatenate it?
I'm more used to C# than PHP so I'm not sure the proper way to format that type of query.

UPDATE same column multiple times in query

Is there a specified behavior for updating the same column 2+ times in the same UPDATE query, as follows?
UPDATE tbl SET a = 5, b = 'something', a = 6 WHERE c = 'whatever';
Is there a standardized behavior for this, or might it vary between flavors of SQL (e.g. it is "undefined behavior")? A cursory test with sqlite seems to indicate they are executed left-to-right, so the last column value will be the resulting one, but that doesn't imply that will always be the case.
Edit: The reason I'm trying to do this is I'm testing some SQL injection for a class project. One of the fields in an UPDATE is unsafely injected, and I'm trying to use it to overwrite previously SET fields from the same query.
This isn't exactly the answer you're looking for but assuming that the text "something" is a field you are passing in and it isn't parameterized or escaped you may be able to do this. This all depends on how the query is being built and what database it is being run against.
UPDATE tbl SET a = 5, b = 'something'; UPDATE tbl set a = 6;--' WHERE c = 'whatever';
by entering the following in the user input
something'; UPDATE tbl set a = 6;--
This assumes that the query is built dynamically something like this
var query = "UPDATE tbl set a = 5, b = '" + userInput + "' WHERE c = 'whatever'";
Here is a relevant question: How does the SQL injection from the "Bobby Tables" XKCD comic work?

Delphi 10 - SQL statement Syntax error Update

I have no idea whats wrong with my Code it keeps giving my an Synxtax error in UPDATE statement here is the code :
adoQueryUsers.SQL.Clear;
adoQueryUsers.SQL.Add('Update Users SET Password = "' +
EdtPassword.Text + '" where Username = "' + sUsername + '" ');
adoQueryUsers.Active := true;
adoQueryUsers.ExecSQL;
I did try using adoQueryUsers.SQL.Text : = but it gives me the exact same problem.
Remove your 'adoQueryUsers.Active := true;'. This is an update statement and don't return a recordset. Only your ExecSQL is needed.
Also, I would use parameters instead of parsing the password and user directly into the query or you're exposed to SQL injection
You have several issues in your code.
Let's start with the inappropriate call to
adoQueryUsers.Active := true;
You only use TADOQuery.Active or TADOQuery.Open on a SQL statement that returns a rowset. Your statement does not do so, so remove that statement. The TADOQuery.ExecSQL is the only one that is relevant here.
Next, stop trying to concatenate SQL, and use parameters instead. It's no more code and it properly handles things like quoting values, formatting dates, etc. It also prevents SQL injection issues for you.
adoQueryUsers.SQL.Clear;
adoQueryUsers.SQL.Add('Update Users SET Password = :Password')
adoQueryUsers.SQL.Add('Where UserName = :UserName');
adoQueryUsers.Parameters.ParamByName('Password').Value := EdtPassword.Text;
adoQueryUsers.Parameters.ParamByName('UserName').Value := sUserName;
adoQueryUsers.ExecSQL;

Updating a table in MS_Access using SQL

I have a few databases and I need to insert a string value in front of some of the values. I have the following code:
UPDATE DB_AlarmTest SET DB_AlarmTest.Address = "DB40," & [Address]
WHERE DB_AlarmTest.Address
NOT LIKE '%DB40%';
I dont want my adresses to come out like this: "DB40,DB40,DB40,2.0" If i execute the query more than once, so I added the " NOT LIKE '%DB40%' " part
Can someone tell my why this is not working?
Thanks in advance!
With the usual ANSI options in MS Access, the wildcard is *, not %, so:
UPDATE DB_AlarmTest
SET DB_AlarmTest.Address = "DB40," & [Address]
WHERE DB_AlarmTest.Address Not Like "*DB40*"