How to pre-execute a variable between single quote?

Hi, All,
I have a stored procedure, part of it looks like:
select emp_id in emp_id_v
from emp
where last_name like 'emp_id_in%';
emp_id_in is a input parameter.
This wouldn't work because it takes "emp_id_in" as characters instead of a variable.
How to make this work?
Any comment would be greatly appreciated!

Thanks for your replay. I know this is an option. Is there any other option? like Unix's ` operator?

Similar Messages

Xpath with another xpath between single quotes

Hello,
Im using an xpath expression to find a node in a xml variable. In this xpath I need to equal the text part of the resolved node to the value returned from the xpath from another xml variable. The value returned from the second xpath needs to be between single quotes in the first xpath, but it is not working. I already tried this:
/path_to_xml1/root_node/node[text = '/path_to_xml2/root_node/node']
string(/path_to_xml1/root_node/node[text = '/path_to_xml2/root_node/node'])
string(/path_to_xml1/root_node/node[text = 'string(/path_to_xml2/root_node/node')])
thank you

When you say : "...I need to equal the text part of the resolved node", are you talking about a text attribute of the node or just the value of that node?
If it's just the value of the node then you should just use /path_to_xml1/root_node/node /path_to_xml2/root_node/node
Jasmin

How can I share Pin variable between two packages?

Hi every one,
Is there any one who knows how can I share Pin variable that it is defined with OwnerPin between two packages in java card( with eclipse 3.1),I studied Sharing Interface subject and I knows it teorical but I can not do it practical .
I can share primitive data type but I can not share Ownerpin.
If anybody has some sample codes or knows any link ,please inform me.
My code is same as below:
//In Server Side
package ginaPack;
import javacard.framework.*;
public class GinaApplet extends Applet implements GinaInterface{
OwnerPIN pin;
private GinaApplet (byte[] bArray,short bOffset,byte bLength) {
    pin =new OwnerPIN(PIN_TRY_LIMIT,MAX_PIN_SIZE);
          byte PinTemp[] = new byte[4];
          PinTemp[0] = (byte) 0x31;
          PinTemp[1] = (byte) 0x31;
          PinTemp[2] = (byte) 0x31;
          PinTemp[3] = (byte) 0x31;
          pin.update(PinTemp, (short) (0), (byte) PinTemp.length);
    public Shareable getShareableInterfaceObject(AID clientAID,byte parameter)
          return this;
    public OwnerPIN getPinShareable()
         return pin;
     public void process(APDU apdu)
                  //there are some codes in this here
}//Interface in Server side
public interface GinaInterface extends Shareable
      public OwnerPIN getPinShareable();
}//In Client side
import ginaPack.*;
public class UserCardApplet extends Applet {
private UserCardApplet(byte[] bArray, short bOffset, byte bLength) {
     //there are some codes in this here
public boolean select() {
          final byte[] Gina_AID={(byte)0x47,(byte)0x69,(byte)0x6e,(byte)0x61,(byte)0x41,(byte)0x70,(byte)0x70,(byte)0x6c,(byte)0x65,(byte)0x74};
          AID GinaAID = JCSystem.lookupAID( Gina_AID, ( short )0,( byte )Gina_AID.length );
          if ( GinaAID == null ) // probably not loaded on card
                    ISOException.throwIt( ISO7816.SW_FUNC_NOT_SUPPORTED );//6a 80
          GinaInterface ff = (GinaInterface) JCSystem.getAppletShareableInterfaceObject(GinaAID,(byte)0);
          if( ff == null )
               ISOException.throwIt((short)0x0903);
if ( ff.getPinShareable().getTriesRemaining()== 0 ) return false;
}My problem is in this line :
"if ( ff.getPinShareable().getTriesRemaining()== 0 ) return false; "when I select my applet this line throw an exception, ff.getPinshareable includes all of OwnerPin methods(such as getTriesRemaining ,check ,reset, update ,...)but all of them throw exception .
I think firewal does not allow other packages uses this methods .If my guess is right then what should I do for sharing the variables that they are defined with non primitive data type such as (OwnerPin,Signature,...)
I'd appriciated for any help.
yours sincerely,
Orchid.
Message was edited by:
NewOrchid

Applet 1:
package com.package1;
import javacard.framework.*;
public class Applet1 extends Applet {
    private static final byte tryLimit = (byte)3;
    private static byte[] pinBytes = {(byte)1, (byte)7, (byte)4, (byte)5, (byte)2};
    private Library1 lib;
    protected Applet1(byte bArray[], short bOffset, byte bLength) throws PINException {
        lib= new Library1(tryLimit, (byte)pinBytes.length);
        lib.update(pinBytes, (short)0, (byte)pinBytes.length);
        register();
    public static void install(byte[] bArray, short bOffset, byte bLength) {
        new Applet1(bArray, bOffset, bLength);
    public void process(APDU apdu) {
        byte status=(byte)0;
        lib.resetAndUnblock();
        if (!(lib instanceof Shareable)) status += (byte)2;
        if (!(lib instanceof MyPIN)) status += (byte)4;
        ISOException.throwIt(Util.makeShort((byte)0x90, status)); // sw indicates tries remaining
    public Shareable getShareableInterfaceObject(AID cltAID, byte parm) {
        return lib;
}Library1:
package com.package1;
import javacard.framework.OwnerPIN;
import javacard.framework.PINException;
public class Library1 extends OwnerPIN implements Interface1{
    public Library1(byte tryLimit, byte maxPINSize) throws PINException {
        super(tryLimit, maxPINSize);
}Interface1:
package com.package1;
import javacard.framework.PIN;
import javacard.framework.Shareable;
public interface Interface1 extends Shareable {
    boolean check(byte[] pin, short offset, byte length);
    byte getTriesRemaining();
    boolean isValidated();
    void reset();
}Applet2:
package com.package2;
import javacard.framework.*;
import com.package1;
public class Applet2 extends Applet {
    private final static byte CLA_TEST = (byte)0x80;
    private final static byte INS_TEST = (byte)0x20;
    private final static byte P1_AUTHORIZE = (byte)0x00;
    private final static byte P1_DOIT = (byte)0x01;
    private final static byte P1_CHECK_SIO = (byte)0x0a;
    private Interface1 sio;
    protected Applet2(byte bArray[], short bOffset, byte bLength) {
        register();
    public static void install(byte[] bArray, short bOffset, byte bLength) {
        new Applet2(bArray, bOffset, bLength);
    public void process(APDU apdu) {
     byte[] buffer = apdu.getBuffer();
        if ((buffer[ISO7816.OFFSET_CLA] == CLA_TEST) ||
            (buffer[ISO7816.OFFSET_CLA] == ISO7816.CLA_ISO7816)) {
            short bytesReceived = apdu.setIncomingAndReceive();
            switch (buffer[ISO7816.OFFSET_INS]) {
            case ISO7816.INS_SELECT:
                if (!JCSystem.getAID().equals(buffer, ISO7816.OFFSET_CDATA, buffer[ISO7816.OFFSET_LC]))
                    ISOException.throwIt(ISO7816.SW_APPLET_SELECT_FAILED);
                sio = (Library1)JCSystem.getAppletShareableInterfaceObject(JCSystem.lookupAID(<fill in parameters>);
                if (sio == null)
                    ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED);
                break;
            case INS_TEST:
                switch (buffer[ISO7816.OFFSET_P1]) {
                case P1_AUTHORIZE:
                    if (!sio.isValidated()) {
                        if(!sio.check(buffer, ISO7816.OFFSET_CDATA, buffer[ISO7816.OFFSET_LC]))
                            ISOException.throwIt(Util.makeShort((byte)0x9A, sio.getTriesRemaining()));
                    break;
                case P1_DOIT:
                    if (!sio.isValidated())
                        ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
                    sio.reset();
                    ISOException.throwIt(Util.makeShort((byte)0x9A, sio.getTriesRemaining()));
                    break;
                default:
                    ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
                break;
            default:
                ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        else {
            ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
}1. Upload package1
2. Install Applet1
3. Select Applet1
4. Upload package2
5. Install Applet2
6. Select Applet2

RWRUN60: Problem with parameter value containing space between single quote

Hi All
I'm using RWRUN60 to generate my report by following way:
C:\orant\BIN\RWRUN60.EXE userid=DBUser/dbpasswor@db BACKGROUND="NO" BATCH="YES" DESFORMAT="pdf" DESNAME="C:\report.pdf" DESTYPE="FILE" ORIENTATION="LANDSCAPE" PARAMFORM="NO" P_REPORTID="2431" P_REPORTNAME="Report Name" report="C:\report.rdf" P_WHERE="StartDate>=to_date('2011-07-14 10-37-00','YYYY-MM-DD HH24-MI-SS')"
When I tried to run given command above nothing was executed executed and any log didnt created.
I found out that problem occurs when text between two single quotes contains spaces. In my case it is a parameter P_WHERE. I need to keep such format because it is part of report query.
When I removed last parameter from command RWRUN60 successfully genereate pdf document.
Further I added new test parameter P_TEST(it is ignored by rdf) in the end of command line following:
P_TEST="test '11'" - rwrun60 generates report
P_TEST="test '1 1'" - rwrun60 doesn't; generate report
Can somebody help how to resolve given problem. Is it parsing bug or what else?

Spaces on command lines a very often a bad idea. Get rid of them by changing the command, e.g.:
to_date('2011-07-14:10-37-00','YYYY-MM-DD:HH24-MI-SS')

How to insert a string containing a single quote to the msql database? help

how can i insert a string which contains a single quote in to database... anyone help
Message was edited by:
sijo_james

Absolutely, Positively use a PreparedStatement. Do not use sqlEscape() function unless you have some overriding need (and I don't know what that could possibly be).
There are 1000's of posts on the positive aspects of using a PreparedStatement rather than using a Statement. The two primary positive attributes of using a PreparedStatement are automatic escaping of Strings and a stronger security model for your application.

How to update row when data contains single quote ?

Hi,
Please see this query:
update query_tab set title='It's common knowledg' where
id='1121';I have this update query coming from .NET, but abviously this is error since single quote in the text (title column) given by user gives wrong meaning to sql parser. So, how to solve this problem ?
Edited by: bootstrap on Dec 25, 2010 9:53 AM

Hi,
To include a single-quote in a string literal, use two of them in a row:
update      query_tab
set      title     = 'It''s common knowledge'
where      id     = '1121';The method above works in any version of Oracle.
Starting in Oracle 10, you can also use Q-notation, like this:
update      query_tab
set      title     = Q'[It's common knowledge]'
where      id     = '1121';For details, look up "Text Literals" in the SQL Language manual:
http://download.oracle.com/docs/cd/B28359_01/server.111/b28286/sql_elements003.htm#sthref337

How to search the location of the single quote using instr func in a string

I have a string '345634','234'(all 4 single quotes are part of the string) and I want to find the location of the 3rd single quote using the instr function , could sum1 quickly please help me out.
Regards
Rahul
Edited by: Rahul Kalra on Aug 26, 2010 8:58 AM

Carlovski wrote:
You really do learn something new every day!
It really is quite ugly syntax though.Not really. You can use whatever character you want to indicate the start and end of the string, but if you use any of the brackets "[", "(" or "{" you should terminate using the opposing bracket "]", ")" or "}" respectively. It also looks a bit more ugly with data like that, but if you are entering regular text then it looks ok...
e.g.
SQL> select q'[This is my string with fred's quotes in it]' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL> select q'(This is my string with fred's quotes in it)' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL> select q'{This is my string with fred's quotes in it}' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL> select q'.This is my string with fred's quotes in it.' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL> select q'#This is my string with fred's quotes in it#' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL> select q'`This is my string with fred's quotes in it`' as mystring from dual;
MYSTRING
This is my string with fred's quotes in it
SQL>Well... almost any character...
SQL> select q'¼This is my string with fred's quotes in it¼' as mystring from dual;
ERROR:
ORA-01756: quoted string not properly terminated

How do I setup shared variables between executables created in sepparate projects

Hello,
I have several sepparate projects with their own respective executable files and I would like to be able for these executable files to all share the same variable (one program controls the value of the variable, while the others read from it).
I got this setup to work on my personal computer (by being able to access variable manager, etc), but I need to deploy these executables on different computers that don't have the labview development program. What steps do I need to do in order for me to be able to put these executables on any computer (I'm assuming I need to setup a path for the shared variable that is always in the same folder, etc)
Thanks
Vlad
Solved!
Go to Solution.

Hi Vlad,
I think this article may answer some of your questions regarding shared variables in deployed applications.
http://zone.ni.com/devzone/cda/tut/p/id/9900
It sounds like you already have your executables built, but this article may answer some questions about deploying them to other machines.
http://zone.ni.com/devzone/cda/tut/p/id/3303
Jeff S.
National Instruments

How you connect a shared variable between internet?

Hello;
I have a aplicarían which use the shared variables, and other one which is the slave. both work rightly, in a local lan, but now I need connect the slave aplication between Internet.
what is the procedure?????
thanks in advance

Hola Joju,
La tecnología de variables compartidas sólo es válida dentro de una red local. Si necesitas acceder a una variable desde Internet, tendrías que hacer uso de DataSocket y de servidores DNS.
Servidores DNS para que tu PC tenga asociado un dominio en Internet y, de esta forma, se pueda acceder a él a través de su nombre. El problema es que tendrías que dar de alta dicho dominio. Después, seguir las instrucciones de este link, cambiando direcciones IP por nombres de equipo:
How to Use Shared Variables and DataSockets to Pass Data Between Two Networked PCs
Esto no es trivial y dependiendo de la configuración de la red del operador, es posible que haya problemas. Para comunicación a través de la red, siempre es más recomendable utilizar funciones básicas de TCP/IP o servicios web.
Un saludo,

How to use execute query For a single record

Hi All,
I am working with oracle forms 10g, I have developed a custom form.
I the form user enter some data and click save in the menu and data get inserted into my table. Inside the insert statement i have hardcoded some values, Once data get inserted i cant able to see that values immediately in my text fields in my form.After requerying i can able to see the changes.
For example I have a text field called Status, and the field is display only field. At that time of insert i have hardcoded as "INCOMPLETE". Once the user enter the data in the form and click save the data get inserted in to my table but i cant able to see the status, after i requery my form i can able to see the status.
Here i do multi insert also.
This is my insert statement
BEGIN
First_Record;
LOOP
IF :BANK_GUARANTEE_BLK.CHECK_IN_OUT = 'Y'
THEN
XXBANK_GUARANTEE_HEADERS.XXBANK_GUARANTEE_INSERT;(this is my package, here i have written my insert statement)
--Execute_query;
END IF;
Exit when :System.Last_Record = 'TRUE';
Next_Record;
END LOOP;
END;
If user insert only one row and i gave Execute_query to refresh and bring the current data, but when i use execute_query Its brings up all the datas in the table.
Can any one tell me how to avoid this and how to use execute_query for a single record.
Thanks &regards
Srikkanth

Solved,
The solution is
set_block_property('LC_REQ_BLK',ONETIME_WHERE,'LC_PO_NUMBER='||:LC_REQ_BLK.LC_PO_NUMBER);
go_block('LC_REQ_BLK');
execute_query;
Works fine.
Regards
Sri

How can I pass a variable between JSP and Role Form

I need to pass a variable from (a copy of) applicationmodify.jsp to the IDM Role Form so that the variable is available within the Role Form at display. We've tried getAttribute and setAttribute modifying both the Role Form and the applicationmodify JSP and can get the form to the role form but not accessible but have had no other success. Has anyone had any success in doing this? Any suggestions would be appreciated.

if by _root level you mean you're loading something into
_level0 you can't won't be able to use the localconnection. the
sharedobject is your only option.

Single quotes around a variable

Hi,
I have values that are being passed into a variable with single quotes around.
for eg: 'test'. So the value in variable v_empname will hold the value 'test'
But then below sql statement returns null:
select empid
into v_empid
from emp where empname = v_empname
When I checked the value of the variable it's 'test' and compared as '''test'''.
How can I get around this?
Thanks for the help.
SK.

Doh!
SQL> create or replace procedure get_empno (i_name in varchar2)
2 as
3    v_empno number;
4 begin
5    select empno into v_empno
6    from emp
7    where ename = i_name;
8    dbms_output.put_line('empno is '||v_empno);
9 exception
10    when no_data_found then
11      dbms_output.put_line('No such person, or did you mean '||upper(i_name)||'?');
12 end;
13 /
Procedure created.
SQL>
SQL> set serveroutput on
SQL> exec get_empno('king');
No such person, or did you mean KING?
PL/SQL procedure successfully completed.
SQL> exec get_empno('KING');
empno is 7839
PL/SQL procedure successfully completed.

Copying a table with the right-click menu in schema browser fails to copy comments when string has single quote(s) (ascii chr(39))

Hi,
I'm running 32-bit version of SQL Developer v. 3.2.20.09 build 09.87, and I used the built in context menu (right-clicking from the schema browser) today to copy a table. However, none of the comments copied. When I dug into the PL/SQL that the menu-item is using, I realized that it fails because it doesn't handle single quotes within the comment string.
For example, I have a table named WE_ENROLL_SNAPSHOT that I wanted to copy as WE_ENROLL_SNAPSHOT_V1 (within same schema name)
1. I right-clicked on the object in the schema browser and selected Table > Copy...
2. In the pop-up Copy window, I entered the new table name "WE_ENROLL_SNAPSHOT_V1" and ticked the box for "Include Data" option. -- The PL/SQL that the menu-command is using is in the "SQL" tab of this window. This is what I extracted later for testing the issue after the comments did not copy.
Result: Table and data copied as-expected, but no column or table comments existed.
I examined the PL/SQL block that the pop-up window issued, and saw this:
declare
l_sql varchar2(32767);
c_tab_comment varchar2(32767);
procedure run(p_sql varchar2) as
begin
     execute immediate p_sql;
end;
begin
run('create table "BI_ETL".WE_ENROLL_SNAPSHOT_V1 as select * from "BI_ETL"."WE_ENROLL_SNAPSHOT" where '||11||' = 11');
select comments into c_tab_comment from sys.all_TAB_comments where owner = 'BI_ETL' and table_name = 'WE_ENROLL_SNAPSHOT' and comments is not null;
run('comment on table BI_ETL.WE_ENROLL_SNAPSHOT_V1 is '||''''||c_tab_comment||'''');
for tc in (select column_name from sys.all_tab_cols where owner = 'BI_ETL' and table_name = 'WE_ENROLL_SNAPSHOT')
    loop
   for c in (select comments from sys.all_col_comments where owner = 'BI_ETL' and table_name = 'WE_ENROLL_SNAPSHOT' and column_name=tc.column_name)
   loop
   run ('comment on column BI_ETL.WE_ENROLL_SNAPSHOT_V1.'||tc.column_name||' is '||''''||c.comments||'''');
end loop;
end loop;
EXCEPTION
WHEN OTHERS THEN NULL;
end;
The string of the table comment on WE_ENROLL_SNAPSHOT is this:
WBIG table of frozen, point-in-time snapshots of Enrolled Students by Category/term/pidm. "Category" is historically, and commonly, our CENSUS snapshot; but, can also describe other frequencies, or categorizations, such as: End-of-Term (EOT), etc. Note: Prior to this table existing, Census-snapshots were stored in SATURN.SNAPREG_ALL. All FALL and SPRING term records prior-to-and-including Spring 2013 ('201230') have been migrated into this table -- EXCEPT a few select prior to Fall 2004 (200410) records where there are duplicates on term/pidm. NO Summer snapshots existed in SNAPREG_ALL, but were queried and stored retroactively (including terms prior to Spring 2013) for the purpose of future on-going year-over-year analysis and comparison.
Note the single quotes in the comment: ... ('201230')
So, in the above PL/SQL line 11 grabs this string into "c_tab_comment", but then line 12 fails because of the single quotes. It doesn't know how to end the string because the single quotes in the string are not "escaped", and this messes up the concatenation on line 12. (So, then no other column comments are created either because the block throws an error, and goes to line 22 for the exception and exits.)
When I modify the above PL/SQL as my own anonymous block like this, it is successful:
declare
c_tab_comment VARCHAR2(32767);
begin
SELECT REPLACE(comments,chr(39),chr(39)||chr(39)) INTO c_tab_comment FROM sys.all_TAB_comments WHERE owner = 'BI_ETL'   AND table_name = 'WE_ENROLL_SNAPSHOT' AND comments IS NOT NULL;
EXECUTE IMMEDIATE 'comment on table BI_ETL.WE_ENROLL_SNAPSHOT_V1 is '''||c_tab_comment||'''';
for tc in (select column_name from sys.all_tab_cols where owner = 'BI_ETL' and table_name = 'WE_ENROLL_SNAPSHOT')
    loop
   for c in (select REPLACE(comments,chr(39),chr(39)||chr(39)) comments from sys.all_col_comments where owner = 'BI_ETL' and table_name = 'WE_ENROLL_SNAPSHOT' and column_name=tc.column_name)
   loop
   EXECUTE IMMEDIATE 'comment on column BI_ETL.WE_ENROLL_SNAPSHOT_V1.'||tc.column_name||' is '||''''||c.comments||'''';
end loop;
end loop;
EXCEPTION
WHEN OTHERS THEN NULL;
end;
On lines 4 and 8 I wrapped the "comments" from sys.all_tab_comments and sys.all_col_comments with a replace command finding every chr(39) and replacing with chr(39)||chr(39). (On line 8 I also had to alias the wrapped column as "comments" so line 10 would succeed.)
Is this an issue with SQL Developer? Is there any chance that the menu-items can handle single quotes in comment strings? ... And, of course this makes me wonder which other context menu commands in the tool might have a similar issue.
Thoughts?
thanks//jacob

PaigeT wrote:
I know about quick drop, but it isn't helpful here. I want to be able to right click on a string or array wire, navigate to the string or array palette, and select the corresponding "Empty?" comparator. In this case, since I do actually know where those functions live, and I'm already using my mouse to right click on the wire, typing ctrl-space to open quick drop and then typing in the function name is actually more work than navigating to it in the palette. It would just be nice to have it on hand in the location I naturally go to look for it the first time.
I don't agree with this work flow. Right hand on mouse, left hand on home keys. Pressing CTRL + Space is done with the left hands, and then you could assign "ea" to "Empty Array" both of which is accessible with the left hand. Darren posted a bunch of great shortcuts for the right handed developer.
https://decibel.ni.com/content/docs/DOC-20453
This is much faster than waiting for any right click menu navigation, even if it is found in the suggested subpalette.
Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
If 10 out of 10 experts in any field say something is bad, you should probably take their opinion seriously.

Embedded Single Quote in SQL Column truncates Java String

I have a jsp web page that queries a database to see what day a user is registered for and then produces an URL for the user to click on. My problem is that the URL being processed stops when an embedded single quote is encountered.
Here is the database side:
Database side:
Create Table registration
(reg_id int not null,
name varchar2(45) not null,
day_nb int not null);
Insert into registration
(reg_id, name, day_nb)
values (1043,'Johnny''s Diner', 1);
Select name, day_nb from registration
where reg_id = 1043;
name, day_nb
Johnny's Diner 1
Snippet of relevant java code: (JSP page)
<%
int day_nb = rs.getInt("day_nb");
String particpant_name = rs.getString("name");
System.out.println("registration.jsp: particpant_name = " + particpant_name);
%>
<td width="84%">
     <a
     href='<%=response.encodeURL("registrationHandler.jsp?"particpant_name="+ particpant_name + "&day_nb="+ day_nb)%>'><%=particpant_name%>
                              </a>
                         </td>
{code}
The following is printed to System.Out:
registration.jsp: particpant_name = Johnny's Diner
The code produces the following URL
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny
The response.encodeURL is stopping on the single quote contained in "Johnny's Diner"
The URL I want is:
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny's Diner&day_nb=1
How do I account for the embedded single quote so the code works properly? Thanks In Advance!

You really need to read up on [SQL Injection|http://en.wikipedia.org/wiki/SQL_injection] and [XSS/Cross-Site Scripting|http://de.wikipedia.org/wiki/Cross-Site_Scripting]. Both present massive security problems and your code seems prone to easily producing both.
For SQL Injection attacks the correct solution is to always use PreparedStatements with only hard-coded String (i.e. never use String concatenation to build SQL statements).
For XSS attacks the solution is a bit harder, but basically you need to learn never to trust user input (that includes user input that you've previously stored in the database!) and always escape what the user sent when you print it back out.

How to pass a string variable in a single quote

Hi,
I am trying to pass a single quoted string, 'some string', into a concat expression.
My situation is some thing like
I have an array of states
<copy>
<from>
<ListOfValues xmlns="http://tbone.coi.test/amis">

<Value>A</Value>
<Value>B</Value>
<Value>C</Value>
</ListOfValues></from>
<to variable="StateList"/>
</copy>
then I loop through the StateList array to get each state as
<copy>
<from variable="StateList" query="/tns:ListOfValues/tns:Value[bpws:getVariableData('iterator')]"></from>
<to variable="currentState"/>
</copy>
I then build an xpath expression like:
<copy>
<from expression="concat('/nsxml0:GetSummariesResponse/nsxml1:Summaries[nsxml1:State = ',bpws:getVariableData('currentState'), ']')"></from>
<to variable="xpath"/>
</copy>
As the result, my xpath look like:
/nsxml0:GetSummariesResponse/nsxml1:Summaries[nsxml1:State = A]
but I need a state surrounded by single quote as 'A' or xpath query like
/nsxml0:GetSummariesResponse/nsxml1:Summaries[nsxml1:State = 'A']
Any ideas how can I single quote a value of bpws:getVariableData('currentState') in my concat expression
Thanks,
-V

Have you tried 'the string contain''s an ''?

How to pre-execute a variable between single quote?

Similar Messages

Maybe you are looking for