What does the “&” symbol do in SQL? - sql

What does the “&” symbol do?
select *
from emp
where ename like '&A%';

I infer you are using Oracle RDBMS since EMP.ENAME is from one of the example schemas from Oracle. In Oracle the ampersand "&" can be used as a substitution variable in SQL*Plus (client). See http://oracle-base.com/articles/misc/literals-substitution-variables-and-bind-variables.php#substitution_variables.
99% of the time, you are probably not doing substitution and want a literal ampersand. Such as INSERT INTO sometable VALUES ('Black & Decker'); So you would disable substitution first in SQL*Plus with SET DEFINE OFF.

It doesn't do or mean anything special in SQL string literal. It is just stands for itself; i.e. the ampersand character. So like '&A%' means a string that starts with '&A'.
Apparently (Joshua's answer), the ampersand can have special meaning in Oracle SQLPlus. But that isn't SQL. It is a different language that has SQL syntax embedded in it.

Related

select using keyword values in SQL

I am trying to do a query in a SQLite database equivalent to this:
SELECT act_unit FROM processes WHERE process='processname'
but using the keyword values, so I can specify the name, which is stored in a variable (I am actually running the query in a Jupyter notebook). I've used successfully the keyword values in insert statements, but I do not know how to do it here. I tried several combinations like this one
SELECT act_unit from processes WHERE process=values,('processname')
but I can't figure out how to do it properly.
From the SQLite documentation: https://www.sqlite.org/lang_keywords.html
It would be SELECT act_unit from processes WHERE process="values",('processname')
If you want to use a keyword as a name, you need to quote it. There
are four ways of quoting keywords in SQLite:
'keyword' A keyword in single quotes is a string literal.
"keyword" A keyword in double-quotes is an identifier.
[keyword] A
keyword enclosed in square brackets is an identifier. This is not
standard SQL. This quoting mechanism is used by MS Access and SQL
Server and is included in SQLite for compatibility.
keyword A
keyword enclosed in grave accents (ASCII code 96) is an identifier.
This is not standard SQL. This quoting mechanism is used by MySQL and
is included in SQLite for compatibility.

Turn off upper-case for table and column names in HSQL?

How to turn off forced upper-case mode for table and column names in HSQL?
<artifactId>hsqldb</artifactId>
<version>2.3.1</version>
OS: Windows 7 x64
The rules around this are explained in the HSQLDB documentation:
When a database object is created with one of the CREATE statements or
renamed with the ALTER statement, if the name is enclosed in double
quotes, the exact name is used as the case-normal form. But if it is
not enclosed in double quotes, the name is converted to uppercase and
this uppercase version is stored in the database as the case-normal
form.
Case sensitivity rules for identifiers can be described simply as
follows:
all parts of SQL statements are converted to upper case before processing, except identifiers in double quotes and strings in single
quotes
identifiers, both unquoted and double quoted, are then treated as case-sensitive
most database engines follow the same rule, except, in some respects, MySQL and MS SQLServer.
AFAIK this behaviour can't be turned off. (It's worth noting that standard SQL is case-insensitive when quoted identifiers aren't used.) But as mentioned above, a lower case identifier can be specified by enclosing in quotes, e.g:
CREATE TABLE "lowercasetablename" ("lowercasecolname" INT);
SELECT "lowercasecolname" FROM "lowercasetablename";
I am not sure, i understand the problem correctly but just trying to put some effort.
SET DATABASE COLLATION SQL_TEXT_UCC
May be you can refer http://hsqldb.org/doc/guide/dbproperties-chapt.html

how to write a word to a database that is between 2 Apostrophes?

I have a table in my database of type nvarchar(50);
I want to write to that specific column that string 'Tal' - Tal between 2 apostrophes.
When I'm trying to do so what is recorded in my DB is "Tal" - Tal between 2 quotation marks.
My database is an SQL database and so are my scripts.
How this can be solved?
The standard way to do what you want is this.
insert into mytable ( mycolumn ) values ('''Tal''');
The first and last ' are the start and end markers for the string. Each '' within these characters means '. Refer to page 89 of the SQL 92 specification at http://www.andrew.cmu.edu/user/shadow/sql/sql1992.txt
I think escaping is the key to your question. For SQL apostrophes are special characters, thus they have to be escaped by '' (two apostrophes). Have you checked that your scripts do not add the second apostrophe for you? Probably you have to add Tal without the apostrophes.
Escape % seems to be DB dependant. Oracles uses \%, others accespt [%] and some seem to have a keyword ESCAPE. You have read the documentation of your database, look for "escape characters".
Try inserting like this using the backslash \'Tal\'.

Insert text with single quotes in PostgreSQL

I have a table test(id,name).
I need to insert values like: user's log, 'my user', customer's.
insert into test values (1,'user's log');
insert into test values (2,''my users'');
insert into test values (3,'customer's');
I am getting an error if I run any of the above statements.
If there is any method to do this correctly please share. I don't want any prepared statements.
Is it possible using sql escaping mechanism?
String literals
Escaping single quotes ' by doubling them up → '' is the standard way and works of course:
'user's log' -- incorrect syntax (unbalanced quote)
'user''s log'
Plain single quotes (ASCII / UTF-8 code 39), mind you, not backticks `, which have no special purpose in Postgres (unlike certain other RDBMS) and not double-quotes ", used for identifiers.
In old versions or if you still run with standard_conforming_strings = off or, generally, if you prepend your string with E to declare Posix escape string syntax, you can also escape with the backslash \:
E'user\'s log'
Backslash itself is escaped with another backslash. But that's generally not preferable.
If you have to deal with many single quotes or multiple layers of escaping, you can avoid quoting hell in PostgreSQL with dollar-quoted strings:
'escape '' with '''''
$$escape ' with ''$$
To further avoid confusion among dollar-quotes, add a unique token to each pair:
$token$escape ' with ''$token$
Which can be nested any number of levels:
$token2$Inner string: $token1$escape ' with ''$token1$ is nested$token2$
Pay attention if the $ character should have special meaning in your client software. You may have to escape it in addition. This is not the case with standard PostgreSQL clients like psql or pgAdmin.
That is all very useful for writing PL/pgSQL functions or ad-hoc SQL commands. It cannot alleviate the need to use prepared statements or some other method to safeguard against SQL injection in your application when user input is possible, though. #Craig's answer has more on that. More details:
SQL injection in Postgres functions vs prepared queries
Values inside Postgres
When dealing with values inside the database, there are a couple of useful functions to quote strings properly:
quote_literal() or quote_nullable() - the latter outputs the unquoted string NULL for null input.
There is also quote_ident() to double-quote strings where needed to get valid SQL identifiers.
format() with the format specifier %L is equivalent to quote_nullable().
Like: format('%L', string_var)
concat() or concat_ws() are typically no good for this purpose as those do not escape nested single quotes and backslashes.
According to PostgreSQL documentation (4.1.2.1. String Constants):
To include a single-quote character within a string constant, write
two adjacent single quotes, e.g. 'Dianne''s horse'.
See also the standard_conforming_strings parameter, which controls whether escaping with backslashes works.
This is so many worlds of bad, because your question implies that you probably have gaping SQL injection holes in your application.
You should be using parameterized statements. For Java, use PreparedStatement with placeholders. You say you don't want to use parameterised statements, but you don't explain why, and frankly it has to be a very good reason not to use them because they're the simplest, safest way to fix the problem you are trying to solve.
See Preventing SQL Injection in Java. Don't be Bobby's next victim.
There is no public function in PgJDBC for string quoting and escaping. That's partly because it might make it seem like a good idea.
There are built-in quoting functions quote_literal and quote_ident in PostgreSQL, but they are for PL/PgSQL functions that use EXECUTE. These days quote_literal is mostly obsoleted by EXECUTE ... USING, which is the parameterised version, because it's safer and easier. You cannot use them for the purpose you explain here, because they're server-side functions.
Imagine what happens if you get the value ');DROP SCHEMA public;-- from a malicious user. You'd produce:
insert into test values (1,'');DROP SCHEMA public;--');
which breaks down to two statements and a comment that gets ignored:
insert into test values (1,'');
DROP SCHEMA public;
--');
Whoops, there goes your database.
In postgresql if you want to insert values with ' in it then for this you have to give extra '
insert into test values (1,'user''s log');
insert into test values (2,'''my users''');
insert into test values (3,'customer''s');
you can use the postrgesql chr(int) function:
insert into test values (2,'|| chr(39)||'my users'||chr(39)||');
When I used Python to insert values into PostgreSQL, I also met the question: column "xxx" does not exist.
The I find the reason in wiki.postgresql:
PostgreSQL uses only single quotes for this (i.e. WHERE name = 'John'). Double quotes are used to quote system identifiers; field names, table names, etc. (i.e. WHERE "last name" = 'Smith').
MySQL uses ` (accent mark or backtick) to quote system identifiers, which is decidedly non-standard.
It means PostgreSQL can use only single quote for field names, table names, etc. So you can not use single quote in value.
My situation is: I want to insert values "the difference of it’s adj for sb and it's adj of sb" into PostgreSQL.
How I figure out this problem:
I replace ' with ’, and I replace " with '. Because PostgreSQL value does not support double quote.
So I think you can use following codes to insert values:
insert into test values (1,'user’s log');
insert into test values (2,'my users');
insert into test values (3,'customer’s');
If you need to get the work done inside Pg:
to_json(value)
https://www.postgresql.org/docs/9.3/static/functions-json.html#FUNCTIONS-JSON-TABLE
You must have to add an extra single quotes -> ' and make doubling quote them up like below examples -> ' ' is the standard way and works of course:
Wrong way: 'user's log'
Right way: 'user''s log'
problem:
insert into test values (1,'user's log');
insert into test values (2,''my users'');
insert into test values (3,'customer's');
Solutions:
insert into test values (1,'user''s log');
insert into test values (2,'''my users''');
insert into test values (3,'customer''s');

Special character in varchar in SQL

I am inserting text from a file into a table, few of the lines have words like "you'll" or "don't". When I insert these lines as varchar in my table, I get an error saying - near "ll": syntax error. How do I overcome this?
Your single quote is being considered as the end of your string. Escape the quote that exists within your string to avoid this problem.
You need to escape your SQL statement. If you are using SQL Server, then you can use QUOTENAME to resolve this.
Use two apostrophes within apostrophe-quoted strings to insert the apostrophe:
insert into footable (foo) values('you''ll')
Thank you all for responses, since I was using sqlite3, there are inbuilt string formating functions available with the library, so I was able to use sqlite3_mprintf with %q instead of %s and it took care of single quotes.