(JDBC)how to diffrenciate a single quote in string ? eg : 'Micheal's Store'

Hi all,
I wanted to difrrenciate a single quote in string. Is there any way to do so ?
I'm using Java.
Thanks

If you're using Java, I assume you're using straight JDBC rather than one of the many APIs layered on top of JDBC.
You should be using PreparedStatement objects with bind variables and you should be passing in string values by making appropriate setString() calls. When you're using bind variables, rather than building up SQL strings in your app, you won't have any issues with escaping quotes. You also won't have to worry about defending against SQL injection attacks and your application will perform much better since you won't be re-parsing the same statement over and over and won't be flooding your library cache with thousands of mostly identical statements.
Justin
I intended to say that you won't be flooding your shared pool with thousands of mostly identical statements, not the library cache.
Message was edited by:
Justin Cave

Similar Messages

Place single quote around string

Hi,
I am wondering how I can Place single quote around string in the following. I have tried double and triple quote but it doesn't take variable name from rec.tablename.
any idea
rec.table_name ==> 'rec.table_name'
rec.column_name ==> 'rec.column_name'
v_sql:= 'DELETE USER_SDO_GEOM_METADATA WHERE TABLE_NAME= ' || rec.table_name ;
execute immediate v_sql;
-- Insert Table Record in Sdo_User_Geom_Metadata
v_sql:= 'INSERT INTO USER_SDO_GEOM_METADATA(TABLE_NAME, COLUMN_NAME, DIMINFO, SRID) ' ||
'VALUES (' || rec.table_name || ',' || rec.column_name || ', MDSYS.SDO_DIM_ARRAY( ' ||
'MDSYS.SDO_DIM_ELEMENT(''X'',-2147483648, 2147483647, .000005), ' ||
'MDSYS.SDO_DIM_ELEMENT(''Y'',-2147483648, 2147483647, .000005)), 2958)' ;
execute immediate v_sql;
Nancy

I have 2 suggestions, 2nd one being the better choice.
SQL> set serveroutput on
SQL>
SQL> declare
2    v_sql varchar2(4000);
3    table_name varchar2(4000);
4 begin
5    table_name := 'MY_TABLE';
6    v_sql:= 'DELETE USER_SDO_GEOM_METADATA WHERE TABLE_NAME= ''' || table_name || '''';
7    dbms_output.put_line(v_sql);
8 end;
9 /
DELETE USER_SDO_GEOM_METADATA WHERE TABLE_NAME= 'MY_TABLE'
PL/SQL procedure successfully completed
SQL> or using DBMS_ASSERT for a more elegant solution against SQL injection:
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as fsitja
SQL> set serveroutput on
SQL>
SQL> declare
2    v_sql varchar2(4000);
3    table_name varchar2(4000);
4 begin
5    table_name := dbms_assert.QUALIFIED_SQL_NAME('ALL_TABLES');
6    v_sql:= 'DELETE USER_SDO_GEOM_METADATA WHERE TABLE_NAME= ' || dbms_assert.ENQUOTE_NAME(table_name);
7    dbms_output.put_line(v_sql);
8 end;
9 /
DELETE USER_SDO_GEOM_METADATA WHERE TABLE_NAME= "ALL_TABLES"
PL/SQL procedure successfully completed
SQL> [Docs referencing validation checks against SQL injection|http://download.oracle.com/docs/cd/E11882_01/appdev.112/e10472/dynamic.htm#LNPLS648]
Regards,
Francisco

How to pass a single quote in a URL using Javascript

Can someone tell me how to pass a single quote in a URL using Javascript. I have created a Javascript funciton in which I pass several column values from an APEX report.
The URL for the report link I am using is "JAVASCRIPT:passBack('#EMP_ID#','#Name#','#e-mail#')"
The problem occurs with the Name and e-mail columns contain a single quote (i.e. James O'Brien)

Thank you Saad, that worked.
Since I built the report using type 'SQL Query (PL/SQL function fody returning SQL query)' I had to add some additional quotes to get it to work.
i.e.
replace(EMP_EMAIL_NAME,'''''''',''\'''''')
or
replace(EMP_EMAIL_NAME,chr(39),''\'''''')
Thanks for the help,
Jason

How to escape a single quotes from a string of dynamic sql clause?

if a single quotes exist in a dynamic sql clause for a string,
like
v_string :='select tname from tab where tabtype='table'',
there tabtype='table' will conflict with the single quote ahead.
could somebody tell me how to escape this single quotes?
thanks for your tips,
frederick

fredrick,
To represent one single quotation mark within a literal, enter two single quotation marks. For example :
v_string :='select tname from tab where tabtype=''table'''
Regards,
Srinivas

How to Delimit the Single quotes ( ' )

Hi friends.
how to delimite the single quotes ( ' ) or
how to move the single quotes in fields.
any body pls reply
thanks
pauldharma

Hi,
Use for single quotes and that will result in a single quote.
i.e.
lv_quote = ''''.
Darren

SQL: Need help putting single quote around string

I want to put single quotes around string in my output.
I am running the following command as a test:
select ' ' hello ' ' from dual;
My expectation is to get 'hello' (Single quote around hello)
However I am getting the following error:
ERROR at line 1:
ORA-00923: FROM keyword not found where expected
When I do SHOW ALL at my SQL command prompt, the escape is set as follows:
escape "\" (hex 5c)
I even tried: select '\'hello\'' from dual;
I get back: select ''hello'' from dual
ERROR at line 1:
ORA-00923: FROM keyword not found where expected

Hi,
user521525 wrote:
I want to put single quotes around string in my output.
I am running the following command as a test:
select ' ' hello ' ' from dual;
My expectation is to get 'hello' (Single quote around hello)You probably read that you can get a single-quote within a string literal by using two of them in a row.
That's true, but they really have to be in a row (no spaces in between), and you still need the single-quotes at the beiginning and end of the literal.
So what you want is
SELECT '''hello'''
FROM dual;Starting in Oracle 10, you can also use Q-notation, For example:
SELECT Q'['hello']'
FROM dual;

How to escape a single quote in a find mode view

Hello,
I'm working with JDeveloper 10g.
I've defined a view that is used in "find mode" in a JSP.
When a value with a single quote is inserted in a field of the search form, an exception is thrown:
JBO-27122: SQL error during statement preparation.
ORA-00907: missing right parenthesis.
The problem is that the "single quote" is not being escaped:
WHERE STREET LIKE 'ABAT ESCARRE, DE L'A'
How could I force the view to escape the "single quote"?
Thanks

Arrest the single quote by calling a javascript method.
This might help you
Re: af:clientListener javascript function call question
http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e12419/tagdoc/af_clientListener.html
Edited by: Srinidhi on Mar 23, 2011 3:46 PM

How do I pass single quotes into a string variable?

Thanks for any help?
Example
Select xdat, yday
from foo
where
xdat = to_char(sysdate, 'mm/dd/yyyy')
How do I pass the single quoted stuff above into a string variable?

Thank you but that is not the same thing. I am building a dynamic sql statement and need to pass the quoted material into a statement that is quoted Is that not what my example above shows?
My example above has a quoted string inside a string. I think this is exactly what you were asking for.

How to use a single quote string in where condition

Hi,
I have one problem in building a query.
SELECT agx_drug_indication.record_id, agx_drug_indication.fk_ad_rec_id,
agx_drug_indication.drugindicationmeddraver, agx_drug.record_id,
agx_drug.fk_apat_rec_id,
REPLACE (agx_drug.medicinalproduct, '''', '''') AS "MEDICINALPRODUCT",
pack_imp_objects.fn_get_arisg_code
(147,
agx_drug_indication.drugindicationmeddraver
) AS "DRUGINDICATIONMEDDRAVER",
agx_drug.drugindication,
NVL (agx_drug.drugcharacterization, 1) AS "DRUGCHARACTERIZATION",
agx_safety_report.record_id, agx_safety_report.case_identifier_no,
agx_safety_report.fk_apat_rec_id,
pack_imp_objects.fn_meddra_llt_matching
(agx_drug_indication.drugindication,
agx_drug_indication.drugindication,
agx_drug_indication.drugindicationmeddraver,
1
) AS "LLT_CODE",
pack_imp_objects.fn_meddra_soccode_matching
(agx_drug_indication.drugindication,
agx_drug_indication.drugindicationmeddraver
) AS "PRIMARY_SOC_CODE",
pack_imp_objects.fn_meddra_soccode_matching
(agx_drug_indication.drugindication,
agx_drug_indication.drugindicationmeddraver
) AS "CASE_SOC_CODE",
pack_imp_objects.fn_meddra_pt_matching
(agx_drug_indication.drugindication,
agx_drug_indication.drugindication,
agx_drug_indication.drugindicationmeddraver
) AS "PT_CODE",
pack_imp_objects.fn_get_aer_id (11) AS "AER_ID"
FROM agx_drug_indication,
agx_drug,
agx_safety_report
WHERE agx_drug_indication.fk_ad_rec_id = agx_drug.record_id
AND agx_drug.fk_apat_rec_id = agx_safety_report.fk_apat_rec_id
AND agx_safety_report.case_identifier_no IS NOT NULL
AND agx_drug_indication.drugindication IS NOT NULL
AND agx_drug.medicinalproduct =
REPLACE ('*-qVAGX_DRUG.MEDICINALPRODUCT*', '''', '''')
In the above query last line '-qVAGX_DRUG.MEDICINALPRODUCT' is a dynamic variable which may or may not contain the single quotes.
Ex: ABC's or just ABC.
The query has to support both single quote and without quote in it.
I wanted everything to be done in the sinlq query on not a PL/SQL Block.
Please help me ASAP

kumar0828 wrote:
 ... 
REPLACE (agx_drug.medicinalproduct, '''', '''') AS "MEDICINALPRODUCT",
 ... <pre>
REPLACE (agx_drug.medicinalproduct, '''', '''')
</pre>
With the above statement you are replacing single quote with another single quote
(which is nonsense).
 ... 
AND agx_drug.medicinalproduct = REPLACE ('*-qVAGX_DRUG.MEDICINALPRODUCT*', '''', '''')
In the above query last line '-qVAGX_DRUG.MEDICINALPRODUCT' is a dynamic variable which may or may not contain the single quotes.This is not a dynamic variable but a string value:
<pre>
AND agx_drug.medicinalproduct =
REPLACE ('*-qVAGX_DRUG.MEDICINALPRODUCT*', '''', '''')
</pre>
*-qVAGX_DRUG.MEDICINALPRODUCT* <pre>
AND agx_drug.medicinalproduct =
REPLACE (q'*-qVAGX_DRUG.MEDICINALPRODUCT*', '''', '''')
</pre>
-qVAGX_DRUG.MEDICINALPRODUCT q'[a]' => a
q'[a']' => a'
q'[a'']' => a''
q'*a*' => a
q'*a'*' => a'
q'*a''*' => a''
A variable also cannot contain a dot (.):
<pre>VAGX_DRUG.MEDICINALPRODUCT</pre>
Ex: ABC's or just ABC.
The query has to support both single quote and without quote in it.
I wanted everything to be done in the sinlq query on not a PL/SQL Block.
Please help me ASAPTry this:
<pre>
AND agx_drug.medicinalproduct = MY_VARIABLE
</pre>

How can i concatenate single quote to a field symbol

hi
i have a senario where i have to concatenate a single quote (') to the field symbol. it is simple but i' m not able to do that.
concatenate ''' <f> ''' into lv_f.
CONCATENATE lv_condition_temp lv_f INTO
lv_condition_temp
SEPARATED BY space.
this is the code which i used. could someone help me in solving this...
thanks & regards,
subha....

hi
i tried using the following code
data : lv_text(10) type c.
concatenate ''' <f> ''' into lv_text.
it is giving me a spelling or incorrect comma error.
thanks & regards,
subhashini.

How to deal with single quote (') in a field value?

I can successfully insert value with single quoet using
Prepared statement with placeholder(?) construct .
I can also successfuly use value with single quote(') in
WHERE clause.
My question is, is there a way to use string with single
quote if a Statement like:
String slqString ="INSERT INTO customers (name, address) VALUES ( 'O'Reilly Bob', 'St Mary's Street') ";
Statement sqlStmt = con.createStatement();
sqlStmt.executeUpdate(sqlString);
The last statement will thow an SQLException because due to single quotes
Any ideas?

I think the question was regarding the ' in O'Reily. Use ' twice when using the Statement interface, i.e.
("O''Reilly Bob", "St Mary''s Street")
So that's two single quotes, not a double quote, to successfully insert a single quote, if you know what I mean....
But like you said PreparedStatement does things like this for you.

How to escape the single quote from email value?

Hi,
Is there any way to escape the special character single quote from the email value.
 String ownerQry = "Select Id, email from User where email in('0000'";
 for(int i=0; i<accountData.length; i++)
 ownerQry += ",'" + accountData.TEAM_EMAIL+"'";
ownerQry += ")";
QueryResult qrTeam = sfdcCtrl.query(ownerQry);
When i tried to set the email value on a custom object, its throwing the error as below and failed to update. <xml-fragment xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sf="urn:fault.enterprise.soap.sforce.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><faultcode>sf:MALFORMED_QUERY</faultcode><faultstring>MALFORMED_QUERY:
'[email protected]','brenden.o'[email protected]','[email protected]'
^ ERROR at Row:1:Column:963 expecting a right parentheses, found 'connor'</faultstring><detail><sf:fault xsi:type="sf:MalformedQueryFault" xmlns:sf="urn:fault.enterprise.soap.sforce.com"><sf:exceptionCode xmlns:sf="urn:fault.enterprise.soap.sforce.com">MALFORMED_QUERY</sf:exceptionCode><sf:exceptionMessage xmlns:sf="urn:fault.enterprise.soap.sforce.com">
'[email protected]','brenden.o'[email protected]','[email protected]'
^ ERROR at Row:1:Column:963 expecting a right parentheses, found 'connor'</sf:exceptionMessage><sf:row xmlns:sf="urn:fault.enterprise.soap.sforce.com">1</sf:row><sf:column xmlns:sf="urn:fault.enterprise.soap.sforce.com">963</sf:column></sf:fault></detail></xml-fragment>

Thanks Dr.Clap.
I think its very tricky to implement this.
Here is the SOQL query. i am passing all the email values.
Select Id, email from User where email in('0000','o\'[email protected]','[email protected]')
These values are coming from oracle DB table in the form of array accountData[].TEAM_EMAIL
 String ownerQry = "Select Id, email from User where email in('0000'";
 for(int i=0; i<accountData.length; i++)
 ownerQry += ",'" + accountData.TEAM_EMAIL+"'";
ownerQry += ")";the array value may contain the email with single quote before @gmail.com which i need to ignore. :-( i think this is very tricky. who knows the solution for this?

How do I escape single quotes in SQL queries

Hi
I am using EclipseLink + EJB 3.0.
When single quote ( ' ) is entered as search criteria for JPA query, it throws exception.
As specified in the bolow link , its generic sql problem.
http://it.toolbox.com/wiki/index.php/How_do_I_escape_single_quotes_in_SQL_queries%3F
If single-quote is used to escape a single-quote, it might fail in mySQL (which use a backslash as the escape character).
Please suggest generic way to resolve this issue, so that it works across DBMS.
Thanks
Tilak

Hello,
I'm not sure of the query you are trying to execute, or why you would link an article that is strongly suggestiong parameter binding when you state you are looking for escape characters. If you pass in the parameter, you do not need to use escape characters, and EclipseLink uses parameter binding by default.
What is the exception you are getting, and the SQL that is generated? Is this a native query or a JPQL query?
Best Regards,
Chris

How to insert a single quote ........

hi,
How do i insert a sngle quote in a table from sql prompt
suppose if i want to insert Luna's car.
how i do it...
i get error...on sql prompt

dear satyaki ,
SQL> select * from v$version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
SQL> desc tst
Name Null? Type
X VARCHAR2(50)
SQL> insert into tst
2 values (q'!luna's car!');
ERROR:
ORA-01756: quoted string not properly terminated
i still get this message

How to get a single quote in a string

this is my code, how do i get a * ' * around the :p2_marketingcode so that the result will be
and marketingcode_id LIKE 'SP09663'
i tryed something like this ||'''||:p2_marketingcode||''';
if :p2_marketingcode is not null then
q:=q||' and marketingcode_id LIKE '||:p2_marketingcode;
end if;

Try:
if :p2_marketingcode is not null then
q:=q||' and marketingcode_id LIKE '''||:p2_marketingcode||'''';
end if;

(JDBC)how to diffrenciate a single quote in string ? eg : 'Micheal's Store'

Similar Messages

Maybe you are looking for