I am working on a FILE that I need to move from one loacation to another, but when I run the code below I keep getting an error that it has the incorrect syntax. When I print the #Move statement I get this: (Which is what I think I should get)
MOVE \appdev1\sqltest\RedFlag\RedFlag Address Change New Debit Issued.pdf \appdev1\sqltest\RedFlag\2013-10-24_REDFLAG_.pdf
I am trying to run it like this:
EXEC MASTER.DBO.XP_CMDSHELL #MOVE
Any suggestions on what I am doing wrong? Do I need to add the ' in front of the Move statement?
You have spaces in your paths/filenames, so you need to surround with double quotes.
SET #MOVE = 'MOVE "\\appdev1\... Issued.pdf" "\\appdev1\..._.pdf"';
If you are constructing a path from variables, this doesn't change anything. Staying in T-SQL, you would have parameters like this I presume:
SET #MOVE = 'MOVE "' + #OldFile + '" "' + #Printed + '"';
You'll have to work it out yourself if you are doing this in some other language. Here is a short demonstration of how it works in T-SQL:
DECLARE #MOVE VARCHAR(255),
#OldFile VARCHAR(255) = '\\foo\some filename.pdf',
#Printed VARCHAR(244) = '\\blat\something else.pdf';
SET #MOVE = 'MOVE "' + #OldFile + '" "' + #Printed + '"';
PRINT #MOVE;
Results:
MOVE "\\foo\some filename.pdf" "\\blat\something else.pdf"
I don't see any extra quotes, so maybe those are coming from whatever value you have in your parameters.
Related
I am updatinga column value/below is the query
update Test set reference='Payment block & in SAP removed'
where id=2065.
And in the trigger which executes after update I am building an xml.query is
set #xmlstring='<Changes>'
if(isnull(#oldReference,'')<>isnull(#newReference,''))
begin
set #IsChanged=1
set #xmlstring=#xmlstring+'<Fields Name="' + #Reference + '" OldValue="' + cast(isnull(#oldReference,'') as nvarchar) + '" NewValue="' + cast(isnull(#newReference,'') as nvarchar) + '" />'
end
set #xmlstring=#xmlstring + '</Changes>'
But the trigger is giving xml parsing exception . Any idea why?
The '&' characters needs to be encoded in XML as '&'.
I have following table:
1 One TEXT_ONE
2 Two TEXT_TWO
3 Three TEXT_Three ...
I want run SQL Query that will creates txt files in specific folder:
C:\Files\One.txt (Text inside - TEXT_ONE)
C:\Files\Two.txt (Text inside - TEXT_TWO)
C:\Files\Three.txt (Text inside - TEXT_Three)...
I'm not so good in SQL, so any help appreciates=)
Thanks
I found my own way. It's probably not absolute answer for my question, but the idea completed.
So, I've created bcp Command that needs to be executed from Command Line
'bcp "SELECT ColumnName FROM DBName.schema.TableName WHERE IDCol = ' + CAST(IDCol as varchar(2)) + '" QUERYOUT .\' + ColumnForFileName + '.txt -FullServerName -T -c'
You can run select statement in SQL. Here is my example:
SELECT sp.[SessionPageID]
,sp.[SummaryBody]
,sp.[MainTableBody]
,sf.[FileName]
,'bcp "SELECT SummaryBody FROM WLS_3E_TIMELOAD_APP.dbo.SessionPage WHERE SessionPageID = ' + CAST(sp.[SessionPageID] as varchar(2)) + '" QUERYOUT .\SB_' + sf.[FileName] + '_Session.txt -SCHAKHAU-T430\CHAKHAU -T -c'
,'bcp "SELECT MainTableBody FROM WLS_3E_TIMELOAD_APP.dbo.SessionPage" QUERYOUT .\MB_' + sf.[FileName] + '_Session.txt -MYLapTOP\LOCAL -T -c'
FROM [SessionPage] sp
JOIN SourceFile sf ON sf.SourceFileID = sp.SourceFileID
If you run this kind of query in result you will get all your bcp commands, so you then can execute them from Command Line
So I fetched some data from a mdb file in c# via
"SELECT * FROM " + listBox1.GetItemText(listBox1.SelectedItem) + " WHERE Note = '" + listBox2.GetItemText(listBox2.SelectedItem).Replace("'","\'") + "'";
which selects the right data, here it is
SELECT * FROM Main WHERE Note ='Hello'
The mdb data structure looks like this being plotted as a CSV-file:
"Record ID";Status;Placement;Private;Category;Note;Blob
14341665;4;2147483647;True;3;"""Hello"" - Neues
But when I try to remove entries with
"DELETE FROM " + listBox1.GetItemText(listBox1.SelectedItem) + " WHERE \"Record ID\" LIKE '" + dr[0] + "';";
or
"DELETE FROM " + listBox1.GetItemText(listBox1.SelectedItem) + " WHERE \"Record ID\" = '" + dr[0] + "';";
which looks like for instance
DELETE FROM Main WHERE "Record ID" LIKE '14341665';
The entries just stay there. I can rerun the select command even restart my application, the mdb is not changed.
Is record ID a numeric field? If so, lose the quotes.
DELETE FROM Main WHERE [Record ID] = 14341665;
Note that spaces in field (column) names will always be a problem. Such columns names have to be enclosed in square brackets, as do columns named with reserved words.
The record id is numeric, so don't put apostrophes around it:
"DELETE FROM " + listBox1.GetItemText(listBox1.SelectedItem) + " WHERE \"Record ID\" = " + dr[0]
Note: You should avoid using select * in production code, you should specify the data that you want returned. Also, you should use parameterised queries instead of concatenating values into the query.
if i remember correctly, "like" only works on string data, please check the data type of Record ID.
If Record ID is numeric, you may want to use database's conversion function to convert it into string before filtering using "like".
btw, remember to make sure that dr[0] is properly escaped.
Haven't come across this in ages and when I searched for the solution I couldn't find one. I think its called overloading in SQL. Basically when I have "" (an empty string) for any parameter in this SQL I don't want to set a value in the database...
NOTE: I want to do it at a SQL level not do it at a C# level because its sloppy that way.
string Sql = "IF NOT EXISTS (SELECT * FROM tbl_FileSystemReferences) "
+ "INSERT INTO tbl_FileSystemReferences (UploadDir) VALUES (null) "
+ "UPDATE tbl_FileSystemReferences SET "
+ "UploadDir=#UploadDir, "
+ "ThumbnailDir=#ThumbnailDir, "
+ "ArchiveDir=#ArchiveDir, "
+ "RealDir=#RealDir, "
+ "FlashDir=#FlashDir, "
+ "AssociatedFilesDir=#AssociatedFilesDir, "
+ "EnableArchiving=#EnableArchiving, "
+ "AppWideDir=#AppWideDir, "
+ "FFmpegDir=#FFmpegDir, "
+ "InstallationDir=#InstallationDir ";
SqlCommand Command = new SqlCommand(Sql);
Command.Parameters.AddWithValue("#UploadDir", f.UploadDir);
Command.Parameters.AddWithValue("#ThumbnailDir", f.ThumbnailDir);
Command.Parameters.AddWithValue("#ArchiveDir", f.ArchiveDir);
Command.Parameters.AddWithValue("#RealDir", f.RealDir);
Command.Parameters.AddWithValue("#FlashDir", f.FlashDir);
Command.Parameters.AddWithValue("#AssociatedFilesDir", f.AssociatedFilesDir);
Command.Parameters.AddWithValue("#EnableArchiving", f.EnableArchiving);
Command.Parameters.AddWithValue("#AppWideDir", f.AppWideDir);
Command.Parameters.AddWithValue("#FFmpegDir", f.FFmpegDir);
Command.Parameters.AddWithValue("#InstallationDir", f.InstallationDir);
ExecuteNonQuery(Command);
I know there is a way I used to do this with stored procedure I just cant remember how (I think it's called overloading)....
Cheers,
Can you create a stored procedure rather than passing the command as text?
That way you can break each of the lines like "UploadDir=#UploadDir," into its own variable and only add it to the command if it is not null or not empty string
one way would be on a stored procedure, where you would receive all those parameters, then before the query either:
you allow to pass null
you convert each parameter to null if they are empty as:
select #UploadDir = null where #UploadDir = ''
you would do that for all your parameters, then on update query:
IF NOT EXISTS (SELECT * FROM tbl_FileSystemReferences)
INSERT INTO tbl_FileSystemReferences (UploadDir) VALUES (null)
UPDATE tbl_FileSystemReferences SET
UploadDir=coalesce(#UploadDir, UploadDir),
ThumbnailDir=coalesce(#ThumbnailDir, ThumbnailDir),
ArchiveDir=coalesce(#ArchiveDir, ArchiveDir),
RealDir=coalesce(#RealDir, RealDir),
FlashDir=coalesce(#FlashDir, FlashDir),
AssociatedFilesDir=coalesce(#AssociatedFilesDir, AssociatedFilesDir),
EnableArchiving=coalesce(#EnableArchiving, EnableArchiving),
AppWideDir=coalesce(#AppWideDir, AppWideDir),
FFmpegDir=coalesce(#FFmpegDir, FFmpegDir),
InstallationDir=coalesce(#InstallationDir, InstallationDir)
code:
string query1 = #"UPDATE global_mapping set escape_id = " +
dataGridView1.Rows[i].Cells[2].Value + ",function_id = " +
dataGridView1.Rows[i].Cells[3].Value + ",function_name = '" +
dataGridView1.Rows[i].Cells[4].Value + "',parameter_name = '" +
dataGridView1.Rows[i].Cells[5].Value + "',parameter_validity = '" +
dataGridView1.Rows[i].Cells[6].Value + "',statusparameter_id = " +
dataGridView1.Rows[i].Cells[7].Value + ",acb_datatype = '" +
dataGridView1.Rows[i].Cells[8].Value + "',data_type_id = " +
dataGridView1.Rows[i].Cells[9].Value + ",bit_size = " +
dataGridView1.Rows[i].Cells[10].Value + ",validity_status ='" +
dataGridView1.Rows[i].Cells[11].Value + "',validity_func = '" +
dataGridView1.Rows[i].Cells[12].Value + "'WHERE global_mapping.parameter_id =" +
dataGridView1.Rows[i].Cells[1].Value + "";
OleDbCommand cmd1 = new OleDbCommand(query1, conn);
cmd1.ExecuteNonQuery();
code ends:
When I execute the above code I get an error stating "Syntax error in Update statement".
Can someone please tell me how to resolve this?
It looks like you need to add a space before your WHERE clause.
Hope this helps,
Bill
Wow. Can we say... SQL Injection?
Try using Parameters. Not only will you protect yourself, but your SQL will become MUCH more readable.
Never use string concatenation for building SQL queries. Use SQL parameters.
Yikes!
Please provide the final query1 value and try to format it so we can get a better picture of it. My guess is a missing ' or something.
I'd say you're missing some quotes in there but your code is such a pig-sty I can't tell. If you won't fix your code then at the minimum give us a dump of query1 so we can read your actual query.
And use parameters or stored procedures like the previous responses said. All it takes is one of your variables to get overwritten with something nasty and your server will be wide open to anyone deleting your tables or worse.
Even if this is a local "safe" database you should unlearn your bad habits now.
Put
Console.WriteLine(query1)
before OleDbCommand cmd1 = new OleDbCommand(query1, conn);
See the value of query1 printed to console window.
Does the SQL Statement look OK? I guess not - you will now be able to find a field which is non-numeric and is blank in the grid.
And, use parameters as others have said.