Quote in sql statements

hi, i have a problem when i try to enter a word with quotation mark in the query, it gets a java.sql.SQLException: Syntax error or access violation error.
for example here is my select statement:
"Select * from tblholdings where title like '"+key+'"";
If i enter computer as key value it is Ok, but when i enter computer' (with quotation) it get the SQLException error. Please help me on how to solve it. Ho w can i convert the key value with a quotation marks to a value that is acceptable by MySQL database.
Thanks in advance for your help.

There are a variety of solutions. I believe the most practical is to use a PreparedStatement rather then a Statement when making the query. A PreparedStatement will automatically escape quotations marks in the query string (if that is your problem).

Similar Messages

Escaping single quotes in SQL Statement

I am getting SQL Statement error when i tried to have a value with a single quote in it ,inside my SQL Statement.
e.g.
INSERT INTO tblHoldings(Title) VALUES ('Developing Asia�s fibre processing through collaboration');
here the Title to be inserted in the table tblHoldings is "Developing Asia�s fibre processing through collaboration"
i used to trapped the single quote by using its escape character ( \ ) with this method and its fine with MySQL 4 but when I upgraded to MySQL 5.0.22, I now getting the SQL Statement error again.
public String cleanse(String dirty) {
      String clean = dirty.replaceAll("\'", "\\\\'");
      return clean;
}    please help me..how can i trapped/escape single quote in MySQL 5 in Java?
Thanks in advance for your help.

No. Please use PreparedStatements. That is theonly
correct answer to this question.Ok please tell us. how would you use prepare
statement.. no just say USE PREPARE STATE.. givethe
guy the code... or help..What size spoon would you like to be fed with? There
was nothing about gob size in the original post.
http://www.javaalmanac.com
well duffymo.. i think you gave a link, is quite of help, but my friend preparestatement just gave "use preparestatement"..
i think even you when you start coding you needed help... and some one just tell you use preparestatement how do you feel..
There is a level of help. i think it will be (((as much as you can)))

Can someone help me correct this sql statement in a jsp page?

ive been getting the java.sql.SQLException: Incorrect syntax error for one of my sql nested statements. i cant seem to find similar egs online, so reckon if anyone here could help, really appreciate it.
as im putting the nested sql in jsp page, it has to be with lots of " " n crap. very confusing if there are nested.
heres the sql statement without those "" that i want to use:
select top 5 * from(
select top+"'"+offset+"'"+" * from prod where cat=" +"'" cat "'"+"
)order by prodID desc
when i put this in my jsp pg, i had to add "" to become:
String sql = "select top 5 * from("+"select top"+"'"+offset+"'"+" * from prod where cat=" +"'" +cat+ "'"+")order by prodID desc";cat=" +"'" cat "'"+")order by prodID desc";
all those "" are confusing me to no end, so i cant figure out what should be the correct syntax. the error says the syntax error is near the offset.

If offset is, say, 10, and cat is, say, "new", then it looks like you're going to produce the SQL:
select top 5 * from(
select top '10' * from prod where cat='new'
)order by prodID descThat looks exactly like incorrect syntax to me... top almost certainly can't handle a string literal as its operand... you almost certainly would want "top 10" instead of "top '10'"...
If you use PreparedStatement, you don't have to remember what you quote and what you don't and you can have your SQL in a single static final string to boot...

Embedded Single Quote in SQL Column truncates Java String

I have a jsp web page that queries a database to see what day a user is registered for and then produces an URL for the user to click on. My problem is that the URL being processed stops when an embedded single quote is encountered.
Here is the database side:
Database side:
Create Table registration
(reg_id int not null,
name varchar2(45) not null,
day_nb int not null);
Insert into registration
(reg_id, name, day_nb)
values (1043,'Johnny''s Diner', 1);
Select name, day_nb from registration
where reg_id = 1043;
name, day_nb
Johnny's Diner 1
Snippet of relevant java code: (JSP page)
<%
int day_nb = rs.getInt("day_nb");
String particpant_name = rs.getString("name");
System.out.println("registration.jsp: particpant_name = " + particpant_name);
%>
<td width="84%">
     <a
     href='<%=response.encodeURL("registrationHandler.jsp?"particpant_name="+ particpant_name + "&day_nb="+ day_nb)%>'><%=particpant_name%>
                              </a>
                         </td>
{code}
The following is printed to System.Out:
registration.jsp: particpant_name = Johnny's Diner
The code produces the following URL
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny
The response.encodeURL is stopping on the single quote contained in "Johnny's Diner"
The URL I want is:
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny's Diner&day_nb=1
How do I account for the embedded single quote so the code works properly? Thanks In Advance!

You really need to read up on [SQL Injection|http://en.wikipedia.org/wiki/SQL_injection] and [XSS/Cross-Site Scripting|http://de.wikipedia.org/wiki/Cross-Site_Scripting]. Both present massive security problems and your code seems prone to easily producing both.
For SQL Injection attacks the correct solution is to always use PreparedStatements with only hard-coded String (i.e. never use String concatenation to build SQL statements).
For XSS attacks the solution is a bit harder, but basically you need to learn never to trust user input (that includes user input that you've previously stored in the database!) and always escape what the user sent when you print it back out.

How to handle special characters in SQL statements

How do you handle special charactes in a SQL statement? Here is an example:
update table
set notefield = 'This is Waldo's note'
where keyfield = 7;
Because the database connectivity vi accepts a string datatype wire, the ' in Waldo's note is seen as the end of string and an error is generated.
Is there a way to tell labview that the ' is part of the string and not the string delimiter?
Waldo

If two single quotes don't work, try backslash single quote, like \'
The backslash is often used as an escape character, meaning to treat the next character literally.
- tbob
Inventor of the WORM Global

Using Date objects in SQL statements

Hi, I am wondering if it is possible to use Date objects while trying to retrieve entries from an access database with fields set as "Date/Time" fields, as opposed to "Text"? If so, do I need to reformat it before inserting it into the SQL statement, or can I just leave it as a Date object, and call up the variable name?
For example - "SELECT * FROM database WHERE startDate = ' " + dateObject + ' ". And do i need quotes round this value?
Thanks in advance.

I had some problems by just fetching a date and pushing it back to a MS SQL Database.
I used the following reformating step to fix it:
if (o instanceof Timestamp)
String time = o.toString().substring(8,10)+"."+o.toString().substring(5,7)+"."+o.toString().substring(0,4)+" "+o.toString().substring(11,19);
ht.put(columnName, time);
o is the object i receve from the select statement and ht is a Hashtable where i put my data.
To write the data back i now can use:
UPDATE table SET columnname = 'valueOfColumn'
This means i use the value i created above in Quotes to write it back.
Format of Timestamp.toString() is something like yyyy-mm-dd hh:mm:ss.xx
Format used by MS SQL (and i think by Access to) 'dd.mm.yyyy hh:mm:ss'

Using a number variable in an SQL statement

Hi,
I am trying to use a variable in an sql statement and I have run into problems when the variable is a number. The following line of code works if the variable is a string but not if it is a number.
"SELECT TOP 1 UUT_STATUS FROM UNIT_UUT_RESULT WHERE UnitID = '" + Locals.LocalUnitID + "' ORDER BY START_DATE_TIME DESC"
Is there a difference in the use of the single and double quotes and the + sign for number variables?
Thanks
Stuart
Solved!
Go to Solution.

Hi Stuart,
I am assuming that the UnitID is stored as a numeric in the database? If so, the proper SQL syntax for comparing with numerics should not use a single quote (or any quotes for that matter). The quotes are used only for strings.
So you would want to use:
"SELECT TOP 1 UUT_STATUS FROM UNIT_UUT_RESULT WHERE UnitID = " + Locals.LocalUnitID + " ORDER BY START_DATE_TIME DESC"
This is really more of an SQL question universal to all languages, not just TestStand.
Here is an excellent resource that you can consult:
http://www.w3schools.com/sql/sql_where.asp
Jervin Justin
NI TestStand Product Manager

Odd results from SQL statement in JSP

Hi.
Getting very strange results from my SQL statement housed in my JSP.
the last part of it is like so:
"SELECT DISTINCT AID, ACTIVE, REQUESTOR_NAME, ..." +
"REQUESTOR_EMAIL" +
" FROM CHANGE_CONTROL_ADMIN a INNER JOIN CHANGE_CONTROL_USER b " +
"ON a.CHANGE_CTRL_ID = b.CHANGE_CTRL_ID " +
" WHERE UPPER(REQUESTOR_NAME) LIKE ? ";   I've set the following variables and statements:
String reqName = request.getParameter("requestor_name");
PreparedStatement prepstmt = connection.prepareStatement(preparedQuery);
prepstmt.setString(1, "%" + reqName.trim().toUpperCase() + "%");
ResultSet rslts = prepstmt.executeQuery();
rslts.next();
int aidn = rslts.getInt(1);
int actbox = rslts.getInt(2);     String reqname = rslts.getString(3).toUpperCase();
String reqemails = rslts.getString(4);
String bizct = rslts.getString(5);
String dept = rslts.getString(6);
String loc = rslts.getString(7);
Date datereq = rslts.getDate(8);
String busvp = rslts.getString(9);
AND SO ONSo then I loop it, or try to with the following:
<%
try {
while ((rslts).next()) { %>
<tr class="style17">
    <td><%=reqname%></td><td><%=reqemails %></td><td><%=bizct %></td>td><%=dept %></td>
   <td><%=aidn %></td>
</tr>
<%
rslts.close();
selstmt.close();
catch(Exception ex){
     ex.printStackTrace();
     log("Exception", ex);
%>AND so on, setting 13 getXXX methods of the 16 cols in the SQL statement.
Trouble is I'm getting wildly inconsistent results.
For example, typing 'H' (w/o quotes) will spit out 20 duplicate records of a guy named Herman, with the rest of his corresponding info correct, just repeated for some reason.
Typing in 'He' will bring back the record twice (2 rows of the complete result set being queried).
However, typing in 'Her' returns nothing. I could type in 'ell' (last 3 letters of his name, Winchell) and it will again return two duplicate records, but typing in 'hell' would return nothing.
Am I omitting something crucial from the while statement that's needed to accurately print out the results set without duplicating it and that will ensure returning it?
There's also records in the DB that I know are there but aren't being returned. Different names (i.e. Jennifer, Jesse, Jeremy) won't be returned by typing in partial name strings like Je.
Any insight would be largely appreciated.
One sidenote: I can go to SQL Plus and accurately return a results set through the above query. Having said that, is it possible the JDBC driver has some kind of issue?
Message was edited by:
bpropes20
Message was edited by:
bpropes20

Am I omitting something crucial from the while
statement that's needed to accurately print out the
results set without duplicating it and that will
ensure returning it?Yes.
In this code, nothing ever changes the value of reqname or any of the other variables.
while ((rslts).next()) { %>
<tr class="style17">
    <td><%=reqname%></td><td><%=reqemails %></td><td><%=bizct %></td>td><%=dept %></td>
   <td><%=aidn %></td>
</tr>
<%
} You code needs to be like this:while (rslts.next()) {
reqname = rslts.getString(3).toUpperCase();
reqemails = rslts.getString(4);
bizct = rslts.getString(5);
dept = rslts.getString(6);
loc = rslts.getString(7);
datereq = rslts.getDate(8);
busvp = rslts.getString(9);
%>
<tr class="style17">
    <td><%=reqname%></td><td><%=reqemails %></td><td><%=bizct %></td>td><%=dept %></td>
   <td><%=aidn %></td>
</tr>
<%
There's also records in the DB that I know are there
but aren't being returned. Different names (i.e.
Jennifer, Jesse, Jeremy) won't be returned by typing
in partial name strings like Je.Well, you're half-right, your loop won't display all the rows in the result set, because you call rslts.next(); once immediately after executing the query. That advance the result set to the first row; when the loop is entered, it starts displaying at the 2nd row (or later if there are more next() calls in the code you omitted).

How to get rid of quotes in SQL?

Hi All!
Does anybody know how to get rid of quotes in
generated SQL? I don't mean manual editing.
Are there any properties controlling this
behavior (adding "" automatically)?
Thanks in advance!
Sincerely,
Lev

Use PreparedSatement class,
e.g.
// Where the name field is defined as char, i.e. needs quotes in SQL.
String sql = "select * from person where name = ? ";
PreparedStatement statement = connection.prepareSatement(sql);
statement.setString(1, "Bob");
statement.executeQuery();
This will get rid of hardcoding db vendor dependant quotes in your sql,
Hope this helped.

Use variable in SQL statement

HI guys:
I need code three SQL statements.the returned field and selected table are all same,there is only a difference in their "where" statement.
Sample code:
    select marcmatnr marcwerks
    into table it_data
    from MARC inner join MBEW on marcmatnr = mbewmatnr
    where marcmatnr like 'A%' and mbewzplp1 = '001'.
    second one........................ mbew~zplp2 = '001'
    third one......................... mbew~zplp3 = '001'
Could I write a FORM gather them with transporting a parameter ZPLPX to determine which condiniton will be execute?
thank you very much.

Hi tianli,
1. source text
   This concept of dynamic where
   condition is called source text.
2. use like this.
   This is important in the code ---> WHERE (mywhere).
REPORT abc LINE-SIZE 80.
DATA : it_data LIKE TABLE OF mara WITH HEADER LINE.
QUOTES ARE IMPORTANT
PERFORM mysql USING 'mbew~zplp2 = ''001'''.
FORM mysql USING mywhere.
SELECT marcmatnr marcwerks
INTO TABLE it_data
FROM marc INNER JOIN mbew ON marcmatnr = mbewmatnr
WHERE (mywhere).
ENDFORM.                    "mysql
regards,
amit m.

IScript problem - Cannot use an input in a sql statement

I get the input from an input box and it is correct
&param = %Request.GetParameter("Dept");
I try to use it in a sql statement lke this and nothing displays even though it its entered correctly and the value exists in the table
Local SQL &usersCursor = CreateSQL("SELECT EMPLID, BIRTHDATE, NAME FROM PS_EMPLOYEES WHERE DEPTNAME_ABBRV = '&param'");
If I leave out the single quotes around and do it like this &param then it errors out
Local SQL &usersCursor = CreateSQL("SELECT EMPLID, BIRTHDATE, NAME FROM PS_EMPLOYEES WHERE DEPTNAME_ABBRV = &param");
I need help structuring this correctly
Thanks,
Allen Cunningham

Hi,
CreateSQL does not execute the sql statement, it just creates an SQL object, which you have to execute.
Something like this:
&param = %Request.GetParameter("Dept");
Local SQL &usersCursor = CreateSQL("SELECT EMPLID, BIRTHDATE, NAME FROM PS_EMPLOYEES WHERE DEPTNAME_ABBRV = :1", &param);
While usersCursor.Fetch(&Emplid, &Birthdate, &Name)
/* do processing*/
End-While;

Help! Syntax Error in SQL statement

Hello. I'm getting an error message and I'm just not seeing
where I went wrong. The SQL statement is:
updateSQL = "UPDATE TrainingHistory SET Status='" &
fFormat(Request.Form(cStatus)) & "', StatusComments='" &
fFormat(Request.Form(cStatusComments)) & " WHERE Training_ID="
& fFormat(Request.Form(cTrainingID))
The error message is:
[Microsoft][ODBC Microsoft Access Driver] Syntax error in
string in query expression '' WHERE Training_ID=9054'.
I've been looking at it for a while. Not sure where I went
wrong. Here is a more complete version of the code:
<%
Function fFormat(vText)
fFormat = Replace(vText, "'", "''")
End Function
Sub sRunSQL(vSQL)
set cExecute = Server.CreateObject("ADODB.Command")
With cExecute
.ActiveConnection = MM_coldsuncrea_lms_STRING
.CommandText = vSQL
.CommandType = 1
.CommandTimeout = 0
.Prepared = true
.Execute()
End With
End Sub
If Request.Form("action")="update" Then
'Set variables for update
Dim updateSQL, i
Dim cTrainingID, cStatus, cStatusComments
'Loop through records on screen and update
For i = 1 To fFormat(Request.Form("counter"))
'Create the proper field names to reference on the form
cTrainingID = "Training_ID" & CStr(i)
cStatus = "Status" & CStr(i)
cStatusComments = "StatusComments" & CStr(i)
'Create the update sql statement
updateSQL = "UPDATE TrainingHistory SET Status='" &
fFormat(Request.Form(cStatus)) & "', StatusComments='" &
fFormat(Request.Form(cStatusComments)) & " WHERE Training_ID="
& fFormat(Request.Form(cTrainingID))
'Run the sql statement
Call sRunSQL(updateSQL)
Next
'Refresh page
Response.Redirect("ClassUpdateRoster.asp?Training_ID=") &
(rsClassDetails.Fields.Item("event_ID").Value)
End If
%>

You need another single quote after the double quote before
the WHERE clause. You are not closing the single quote you used to
delimit the value for StatusComments.

SQL statement in Oracle

As I know in SQL server, i can create a field called customer name, can be two words. But in the SQL statement I need to use double quote to quote the customer name, such like: select * from "customer name"
Can Oracle accept two words field name or table name. If Yes, then do I need to use double quote, or single quote or other things?

As I know in SQL server, i can create a field called
customer name, can be two words. But in the SQL
statement I need to use double quote to quote the
customer name, such like: select * from "customer
name"
Can Oracle accept two words field name or table name.
If Yes, then do I need to use double quote, or single
quote or other things?Yes, you can do it.
However, most DBAs (even MS SQL Server ones) will tell you that that is bad form.
And of course the reason for doing that should never be because those field names are being displayed. Displaying field names breaks every model that seperates data from display (GUI.)

How to find what sql statement is currently running by scheduler job?

Hi
I scheduled a stored procedure to run every 5 minutes using dbms_scheduler.
The stored procedure internally call serveral other stored procedures.
The scheduled job is in running state and right now I want to find out what is the sql statement the job executing.
Is there any sql query to find out what is sql query the schedular job is running?? Please help me.
Thanks in Advance.

The previous sql id is null in this case.
I already quoted as I am running a pl/sql block in my scheduler job.
begin
usp_test('praram');
end;
I am using the pl/sql block as above in my scheduler job. The USP_TEST inturn calls some other stored procedures and each stored procedure has several inserts and update statements.
The scheduler job is still running. I know the sid of the running scheduler job.
I want to know the job is at which stored procedure and at which insert/update statement.
Please let me know is there any query to fulfil my requirement?
I greatly appreciate your help
Thanks

Sort order of german characters in SQL statements

I've a problem concerning the sort order of the german characters 'd'. 'v'. '|' in SQL statements.
Environment : Oracle Server 7.3.4
SINIX 5.43
The statement comes from an Windows application over OCI to the database.
The result of setting the NLS_SORT param to 'German' is that these characters are treated the same as 'a', 'e' and 'u', and not like 'ae', 'oe' and 'ue', as it is expected.
e.g. ascending sort order :
Bube, Bulut, B|schgens, Butza
but expected is: (| = ue)
Bube, B|schgens, Bulut, Butza
Any idea ?
Thanks for any help in advance.

If two single quotes don't work, try backslash single quote, like \'
The backslash is often used as an escape character, meaning to treat the next character literally.
- tbob
Inventor of the WORM Global

Quote in sql statements

Similar Messages

Maybe you are looking for