I have a VB Script to connect SQL and retrieve value using ADODB recordset. Question: Upon using a multi- line SQL query with JOINs, i received error message : unterminated string constant.Kindly Advise.
If your VBScript lacks a closing punctuation mark at the end of a line. Which means it a syntax error in your script.
Check the syntax of your script, particularly for closing statements
Related
'if' conditions in my ADO YAML file is not working. I am seeing syntax error.
I even copied the code from the section "Parameters to select a template at runtime" from https://learn.microsoft.com/en-us/azure/devops/pipelines/process/templates?view=azure-devops#parameters-to-select-a-template-at-runtime but still seeing error. Please see the screen shot from my ADO
Tried to Microsoft sample code
I'm curious to know a proper way to insert text strings into a database regardless of what characters are contained within the string. What I'm getting at is if I have a string for example that contains single quotes or any other character that is reserved as a 'special' SQL character.
The issue specifically that I'm dealing with is that I don't have control over the possible 'Text' that is being inserted into my database as they text is generated by my application.
One example of where my application fails to insert properly is when there's an error message that happens to contain single quotes. Single quotes are used by SQL statements insert text of course and so I can't insert text that also contains single quotes (outside of using ascii value char(##) function). The issue I'm dealing with is that I'm setting the output of my application to a string variable to then be inserted into my database so I can log activity whether that be standard output or catching errors.
How do I simply INSERT what's contained in my string variable while avoiding all of the SQL Special characters?
Do I need to manually account for all of the SQL Special characters and replace them in my string prior to insert? This sounds like a hit or miss and I'm hoping that there's something already built to accommodate this situation.
Sample Pseudo Code to get the point across:
Let's say an error occurred within the app and it needs to be logged. The error string could be:
Error String: "Error in function calculateStats() parameter 'pBoolStatCheck' is Null"
Now I assign to my string variable within my app and build up the SQL Insert string.
var insertString = "Error in function calculateStats() parameter 'pBoolStatCheck' is Null"
INSERT INTO outputLog(outputLogText)
VALUES ('insertString'); --This will Fail
--Fails due to the variable 'insertString' containing single quotes.
INSERT INTO outputLog(outputLogText)
VALUES ('Error in function calculateStats() parameter 'pBoolStatCheck' is Null');
In closing - since I have no control over the text that could be created by my application how do I account for all of the possible characters that could break my insert?
The code my current application encountering this issue is written in Visual Basic. The database I'm working with is SQLite.
The final solution based on answers received by this post:
Public Sub saveOutputLog(pTextOutput, pTextColor, pNumNewLines, plogType, pMethodSub)
Dim strTableName As String = "outputLog"
Dim sqlInsert As String = "INSERT INTO " & strTableName & "(" &
"outputLog, logColor, numNewLines, logType, method" &
") VALUES (#outputLog, #logColor, #numNewLines, #logType, #method);"
Try
'Open the Database
outputLogDBConn.Open()
'Create/Use a command object via the connection object to insert data into the outputLog table
Using cmd = outputLogDBConn.CreateCommand()
cmd.CommandType = CommandType.Text
cmd.CommandText = sqlInsert
cmd.Parameters.AddWithValue("#outputLog", pTextOutput)
cmd.Parameters.AddWithValue("#logColor", pTextColor)
cmd.Parameters.AddWithValue("#numNewLines", pNumNewLines)
cmd.Parameters.AddWithValue("#logType", plogType)
cmd.Parameters.AddWithValue("#method", pMethodSub)
'Execute the command using above Insert and added Parameters.
cmd.ExecuteNonQuery()
End Using 'Using outputLogDBComm
outputLogDBConn.Close()
Catch ex As Exception
outputLogDBConn.Close()
End Try
End Sub
This problem is very similar to the problem of preventing SQL Injection vulnerabilities in your code. Queries are very easy to break, and while yours breaks in a way that is harmless and annoying, these can be taken to levels where certain inputs can completely destroy your database!
One of the best ways to approach this is by using parameterized queries. This approach is pretty simple; you write the query first with 'placeholders' for the parameters you will send. Once you are ready in your program you can then 'bind' those parameters to the placeholders.
It would look something like the following:
Dim command = New SqlCommand("INSERT INTO outputLog(outputLogText) VALUES (#stringToInsert)", connection);
.
.
.
code
.
.
.
command.Parameters.AddWithValue("#stringToInsert", errorMessage)
.
.
.
execute query
In the above you see that #stringToInsert is the placeholder which is only bound at a later time. It doesn't matter what the variable errorMessage contains, since it will not cause the query to function in a way where the input causes it to potentially break.
There are a lot of resources on this:
https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommand.prepare?view=netframework-4.7.2
Database objects like connections not only need to be closed but also disposed. A Using block will ensure this will happen even if there is an error.
The .Add is better than .AddWithValue for a number of reasons. See https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/ and http://www.dbdelta.com/addwithvalue-is-evil/
The parameters of .Add are the name of the parameter, the datatype in the database and optionally the size of the field. You will need to check the database for the last 2.
Open the connection at the last minute befor the execute.
If you are using OleDb with Access, you need to make sure the parameters are added in the same order as they appear in the sql statement.
Using cn As New SqlConnection("Your connection string")
Using cmd As New SqlCommand("INSERT INTO outputLog(outputLogText) VALUES (#outputLogText);", cn)
cmd.Parameters.Add("#outputLogText", SqlDbType.VarChar, 100).Value = TextBox1.Text
cn.Open()
cmd.ExecuteNonQuery()
End Using
End Using
When I try to run a SQL query through VBA Code it is throwing the below error:
Run time error -2147467259(80004005)
[Teradata] The object name is too long in NFD/NFC
Set rec1 = New ADODB.Recordset
rec1.Open oSql, conn
Worksheets("BO_Output").range("A" & (N)).Value = thissql
My query is working fine when I run it in SQL assistant
I had this error when running an update query in SQL Assistant. I had enclosed my text field in double quotes rather than single quotes. Teradata interpreted the double quotes as a column name. You might like to review your code and see that there isn't any way the quotes could be embedded in your VBA code.
I'm getting a message that there is a syntax error in a VBA query expression I have on a button in Access. Unfortunately, I just cannot figure out what the syntax error is. I'm pretty sure I'm using everything correctly. I'm sending this expression as the WHERE clause to a report being generated. The screenshot is below. Can anyone help?
The two strings that read "tk" are put into the expression from a couple input boxes.
My expression in text:
cond = "(((StrComp(""" & lower & """,Left([Location],2)))<=0) And ((StrComp(""" & upper & """,Left([Location],2)))>=0));"
stDocName = "rptMstrEquipListRange"
DoCmd.OpenReport stDocName, acPreview, , cond
According to www.balancebraces.com, the parentheses aren't the problem:
It should work fine if you remove the ; at the end. (Tested)
please find below my SQL statement, on line 20 the error is apparently;
https://gist.github.com/815c4dd5655e79581a1a
current error im getting is
Microsoft Access Database Engine error '80040e14'
Syntax error (missing operator) in query expression 'sea_Reference=A01AND sea_TheID=5'.
/STUDENT/s0191958/PART2/bookingprocess1.asp, line 22
all the variables being requested and stuff, are digits.
Ive been removing and adding quotes all night and im sick of it!
Put a space before the AND and put the data for sea_Reference in quotes.
Change: 'sea_Reference=A01AND sea_TheID=5'
to 'sea_Reference='A01' AND sea_TheID=5'
here's the altered code
SeatSetRs="SELECT sea_ID FROM seat WHERE sea_Reference='" & request("firstSeat") & "' AND sea_TheID=" & request("the_ID") & ""