All B2A users.
Again about double quotes in SQL: how to be (replace quotes) in B2A long SQL INSERT\UPDATE request string, if this string is created dinamically, fields names and qty are variables (download by HTTP), and any value of them can be a string with quotes ?
Fields values are also in double quotes for INSERT, and I mean that whole the big SQL string cannot be easy formatted as string with & QUOTE & parts.
B4A gives SQLite exception "sintax error". Quotes in the values must be saved\used.... :-( not to be replaced by two single quotes.
What more symbols in the fields values must be specially checked (excepting destructive SQL injections...)?
The solution is to use parameterized queries with ExecQuery2 or ExecNonQuery2. SQL docs.
You can also use DBUtils.
Related
In SQL, you are supposed to query a name such as "St. John's" as 'St. Johns'''s, where you replace the single quotes with two single quotes, or you can use double quotes and not do the double single quote. However, no matter what I try in R, it still tells me "unexpected string literal". Any help would be appreciated.code and error
Remove the quote characters around your database, schema and table name.
I am writing an ODBC application in C!
I have a table on my database and I'm going to fill it with some variables: Var1, Var2, ... which are the output of some function.
The question is: in SQLExecDirect function, how should I pass to the SQL Statement (StatementText), the variables?
SQLExecDirect(hStmt, (SQLCHAR *)"INSERT INTO Table1 values (Var1, Var2, ...)", SQL_NTS);
In SQL in C, you create the full SQL statement by printing (formatting) it in a buffer. So if you want to insert the values of your variables into your table, you print their values to the buffer, like:
char szSQL[2048];
sprintf (szSQL, "INSERT INTO %s values('%s', %d,'%s');", szTableName, strVar1, intVar, strVar2);
SQLExecDirect(hStmt, szSQL, SQL_NTS);
Note the single quotes around the string variables and note there are no quotes around the integer variable. Note that that is the requirement of your TABLE, not of C. If the integer variable in your table is defined as a string field, then you must also place quotes around the variable in the SQL statement, '%d'.
Finally, if the string variables can contain the single quote, then you must escape these as two single quotes.
You have two options:
You can use sprintf to build your SQL string as Paul Ogilvie shows in his answer;
You can use a prepared statement and bind the variables to it in a separate operation (see example at link).
Prepared statements can buy you some performance if you're repeating the same statement multiple times with different values (as shown at the link). They can also protect against SQL injection attacks (up to a point, anyway), but you should be sanitizing your inputs regardless. Tradeoff is that the prepared statement takes a little more coding effort.
This seems like it would be a question that has been answered a million times before, but searching for a bit only brought up replacing single quotes with double quotes.
The problem is that I have a file with a huge number of single quotes. Is there any way to insert a string as is, without the single quotes throwing an error. Any wrapper?
This is for pure SQL, I don't need to save this string from the backend or anything. I need a SQL command.
Edit: Just to clarify - the string I am trying to post is a document, in html format, with a large number of both double and single quotes, escaping each one individually would take enough time to warrant saving data in another format, which I would rather not do.
If you have a file accessible to the SQL Server, you can read the contents in to a variable with OPENROWSET. For example, to read a Unicode text file at C:\drop\demo.html:
DECLARE #DocumentText nvarchar(MAX);
SELECT #DocumentText = BulkColumn
FROM OPENROWSET(BULK 'C:\drop\demo.html', SINGLE_NCLOB) file;
INSERT INTO Files (Column) VALUES (#DocumentText);
Can you replace the single quotes with two single quotes? That is how SQL Server escapes the single quote in a string.
declare #test_string nvarchar(max) = 'string with a single '' quote in it';
print #test_string
string with a single ' quote in it
You need to use double quotes:
select 'it''s a double quote'
Will return:
it's a double quote
Read the file, parse it, and do
if(string.charAt(I))=="'"... charAt(I)="";
I have Sql database with table name QUESTION
I want to insert value for QuestionTitle as html string contains single and double quots.
Insert query is
INSERT INTO QUESTION (QuestionType,QuestionID,QuestionTitle)
VALUES("MRQ","QNB5T6TKDMS",'<h1>What are types of special symbols
like #.~!#!$%^&*()_['"+-=</h1>')
When I try to execute this query in Sql it gives an error ,unrecognized token: ""+-=')" .
I try for \' and \'' ,still not work.
How can I do this so that it will work for html string.
The apostrophe, or single quote, is a special character in SQL that specifies the beginning and end of string data. This means that to use it as part of your literal string data you need to escape the special character.
The first one works fine for MySQL
INSERT INTO QUESTION (QuestionType,QuestionID,QuestionTitle) VALUES(8,"QNB5T6TKDMS",'<h1>What are types of special symbolslike #.~!#!$%^&*()_[\'"+-=</h1>')
or
This will work in SQLite
INSERT INTO QUESTION (QuestionType,QuestionID,QuestionTitle) VALUES(8,"QNB5T6TKDMS",'<h1>What are types of special symbolslike #.~!#!$%^&*()_[''"+-=</h1>')
You have found a SQL injection vulnerability in a numeric field, but you need to use a string value in one of your attack payloads.How can you place a string into your query without using any quotation marks?
Use a parametrized query instead of concatenation strings. Guide to SQL Injection
Escape ' with ''
INSERT INTO Foo(A)VALUES('GEORGE''S CAT')