String with embedded single quote

Hi, all. We're trying to pass a string from one procedure to another, which will then do an EXECUTE IMMEDIATE on it. However, there are single quotes withing the string, and they're driving us nuts! This is what the concatenated string should look like when passed to the pw_execDDL procedure:
insert into appimmunization.wsrprfs (inoc_id, proof, is_valid,proof_num) values ('MEAG', to_date('02-OCT-05','DD-MMM-YY'), 'Y',1);
Here's the concatenation process that doesn't work, and there are functions being called within the string:
chr_sql := 'insert into appimmunization.wsrprfs (inoc_id, proof, is_valid,proof_num) values (' || '''' || prm_inoc_id || '''' || ', ' || 'to_date(' || '''' || prm_proof1 || ''''||','||'''' ||'DD-MMM-YY'||''''||')' || ', ' || '''' || fw_is_proof_valid(prm_birth_date, prm_proof1) || '''' || ',1);';
pw_execDDL(chr_sql); /* call the procedure to do the EXECUTE IMMEDIATE */
Help! We've tried every combination -- using two single quotes together, three, and four, and still no luck. Thanks.

insert into appimmunization.wsrprfs (inoc_id, proof,
is_valid,proof_num) values ('MEAG',
to_date('02-OCT-05','DD-MMM-YY'), 'Y',1);
This statement can be made in a string with the following affectation:
chr_sql := 'insert into appimmunization.wsrprfs (inoc_id, proof, is_valid,proof_num) values (''MEAG'', to_date(''02-OCT-05'',''DD-MMM-YY''), ''Y'',1)';
Note please that each single quote in your original string must be specified using two single quotes and that is all. It is more readable and more easy to do it this way.
Michel.

Similar Messages

How to replace double quotes with a single quote in a string ?

Hi All:
Can some one tell me how to replace double Quote (") in a string with a single quote (') ? I tried to use REPLACE function, but I couldn;t get it worked.
My example is SELECT REPLACE('STN. "A"', '"', ''') FROM Dual --This one throws an error
Thanks,
Dima.

Whether it is maybe not the more comfortable way, I like the quoting capabitlity from 10g :
SQL> SELECT REPLACE('STN. "A"', '"', q'(')') FROM Dual;
REPLACE(
STN. 'A'{code}
Nicoals.

Embedded Single Quote in SQL Column truncates Java String

I have a jsp web page that queries a database to see what day a user is registered for and then produces an URL for the user to click on. My problem is that the URL being processed stops when an embedded single quote is encountered.
Here is the database side:
Database side:
Create Table registration
(reg_id int not null,
name varchar2(45) not null,
day_nb int not null);
Insert into registration
(reg_id, name, day_nb)
values (1043,'Johnny''s Diner', 1);
Select name, day_nb from registration
where reg_id = 1043;
name, day_nb
Johnny's Diner 1
Snippet of relevant java code: (JSP page)
<%
int day_nb = rs.getInt("day_nb");
String particpant_name = rs.getString("name");
System.out.println("registration.jsp: particpant_name = " + particpant_name);
%>
<td width="84%">
     <a
     href='<%=response.encodeURL("registrationHandler.jsp?"particpant_name="+ particpant_name + "&day_nb="+ day_nb)%>'><%=particpant_name%>
                              </a>
                         </td>
{code}
The following is printed to System.Out:
registration.jsp: particpant_name = Johnny's Diner
The code produces the following URL
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny
The response.encodeURL is stopping on the single quote contained in "Johnny's Diner"
The URL I want is:
http://www.mycompany.com/registrationHandler.jsp?particpant_name=Johnny's Diner&day_nb=1
How do I account for the embedded single quote so the code works properly? Thanks In Advance!

You really need to read up on [SQL Injection|http://en.wikipedia.org/wiki/SQL_injection] and [XSS/Cross-Site Scripting|http://de.wikipedia.org/wiki/Cross-Site_Scripting]. Both present massive security problems and your code seems prone to easily producing both.
For SQL Injection attacks the correct solution is to always use PreparedStatements with only hard-coded String (i.e. never use String concatenation to build SQL statements).
For XSS attacks the solution is a bit harder, but basically you need to learn never to trust user input (that includes user input that you've previously stored in the database!) and always escape what the user sent when you print it back out.

SSAS SSRS Report Action on Cell Value w/ Embedded Single Quote Not Executing

I have configured an SSAS 2008 R2 cube SSRS ReportAction. I'm having problems when the member value for a cell has an embedded single quote, e.g. abc's. The action displays on the context menu appropriately, but when I click on the action, nothing happens.
For member values that do not have the single quote, the action works as designed. I've added a calculated ember to escape the embedded single quote by adding another single quote, e.g. abc''s, with no luck. Is there a resolution or workaround for this?

Hi Mdccuber,
According to your description, you create a reporting action in you cube, and it works fine except the members that have embedded single quote, right? In your scenario, it seems that you pass this value to the report as the parameter.
In SQL Server Analysis Services (SSAS), when pass values to a report, multi-select parameters have to be placed into IN statement and SQL Server Reporting Services (SSRS) will do single-quote wrapping for string values automatically. In this case, the original
value that have embedded single quote will be damaged. So this action not work. You can submit a feedback at
http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product.
Regards,
Charlie Liao
TechNet Community Support

SSRS Report Returning Double Quote string from a Single Quote String

Hi, I'm getting weird thing in resultset from SSRS report when executed. When I pass parameter to a report, which passes String that has single quote value to a split function , it returns rows with double quote.
For example following string:
'N gage, Wash 'n Curl,Murray's, Don't-B-Bald
Returns:
''N gage, Wash ''n Curl,Murray''s, Don''t-B-Bald
through SSRS report.
Here is the split function Im using in a report.
CREATE Function [dbo].[fnSplit] (
@List varchar(8000),
@Delimiter char(1)
Returns @Temp1 Table (
ItemId int Identity(1, 1) NOT NULL PRIMARY KEY ,
Item varchar(8000) NULL
As
Begin
Declare @item varchar(4000),
@iPos int
Set @Delimiter = ISNULL(@Delimiter, ';' )
Set @List = RTrim(LTrim(@List))
-- check for final delimiter
If Right( @List, 1 ) <> @Delimiter -- append final delimiter
Select @List = @List + @Delimiter -- get position of first element
Select @iPos = Charindex( @Delimiter, @List, 1 )
While @iPos > 0
Begin
-- get item
Select @item = LTrim( RTrim( Substring( @List, 1, @iPos -1 ) ) )
If @@ERROR <> 0 Break -- remove item form list
Select @List = Substring( @List, @iPos + 1, Len(@List) - @iPos + 1 )
If @@ERROR <> 0 Break -- insert item
Insert @Temp1 Values( @item ) If @@ERROR <> 0 Break
-- get position pf next item
Select @iPos = Charindex( @Delimiter, @List, 1 )
If @@ERROR <> 0 Break
End
Return
End
FYI: I'm getting @List value from a table and passing it as a string to split function.
Any help would be appreciated!
ZK

Another user from TSQL forum posted this code which is returning the same resultset but when I execute both codes in SQL server it works and return single quote as expected.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/8d5c96f5-c498-4f43-b2fb-284b0e83b205/passing-string-which-has-single-quote-rowvalue-to-a-function-returns-double-quoate?forum=transactsql
CREATE FUNCTION dbo.splitter(@string VARCHAR(MAX), @delim CHAR(1))
RETURNS @result TABLE (id INT IDENTITY, value VARCHAR(MAX))
AS
BEGIN
WHILE CHARINDEX(@delim,@string) > 0
BEGIN
INSERT INTO @result (value) VALUES (LEFT(@string,CHARINDEX(@delim,@string)-1))
SET @string = RIGHT(@string,LEN(@string)-CHARINDEX(@delim,@string))
END
INSERT INTO @result (value) VALUES (@string)
RETURN
END
GO
ZK

Query with Apostrophe (single quote)

Hi all,
I have noticed that when you enter a search string with an apostrophe (eg. Tito's Station) in a textbox on a form linked to a table and hit the Query button, it generates an sql error. I think this is cos u cannot have an apostrophe (single quote) in the search string in a "where" clause.
I am using Portal version 3.0.6.6.5 on an 8.1.7 database.
I have logged a tar (1744105.999) for this but it is said to be a bug (1759202). I wish to enquire whether any of you have had this problem with a later version or at which version leve this bug has been fixed.
Does any1 know how to limit the text typed into a texbox, so that it wont accept certain characters (eg. the apostrophe key) ??
Thanks

Hi Rene'
Thanks for your help! This will definitely help me alot! I am a little baffled with your code for delimiting the single quote. I tried it and it doesnt work.
Thanks very much for the response
Naseem
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Rene' Castle ([email protected]):
This is still an issue in 3.0.8.9.8. You can use a Javascript validation routine to disallow special characters.
If you want to check to see that they only enter certain things you can do:
var s = theElement.value;
var filter=/^[a-zA-Z]{1,}$/;
if (s.length == 0 ) return true;
if (filter.test(s))
return true;
else
alert(" Please input a valid character" );
theElement.focus();
theElement.select();
return false;
The above code would only allow one or more alphabetic characters. You could make it [a-zA-Z0-9] to allow alphanumeric characters. You could also allow anything but specific characters by doing the following:
var s = theElement.value;
var filter=/[^']*/;
if (s.length == 0 ) return true;
if (filter.test(s))
alert(" Please input a string without a single quote (') in it" );
theElement.focus();
theElement.select();
return false;
else
return true;
Hope this gets you started.
Rene'<HR></BLOCKQUOTE>
null

Passing String Which Has Single Quote Row/Value to a Function Returns Double Quoate

Hi, I'm getting weird thing in resultset. When I pass String which has single quote value in it to a split function , it returns rows with double quote.
For example following string:
'N gage, Wash 'n Curl,Murray's, Don't-B-Bald
Returns:
''N gage, Wash ''n Curl,Murray''s, Don''t-B-Bald
Here is the split function:
CREATE Function [dbo].[fnSplit] (
@List varchar(8000),
@Delimiter char(1)
Returns @Temp1 Table (
ItemId int Identity(1, 1) NOT NULL PRIMARY KEY ,
Item varchar(8000) NULL
As
Begin
Declare @item varchar(4000),
@iPos int
Set @Delimiter = ISNULL(@Delimiter, ';' )
Set @List = RTrim(LTrim(@List))
-- check for final delimiter
If Right( @List, 1 ) <> @Delimiter -- append final delimiter
Select @List = @List + @Delimiter -- get position of first element
Select @iPos = Charindex( @Delimiter, @List, 1 )
While @iPos > 0
Begin
-- get item
Select @item = LTrim( RTrim( Substring( @List, 1, @iPos -1 ) ) )
If @@ERROR <> 0 Break -- remove item form list
Select @List = Substring( @List, @iPos + 1, Len(@List) - @iPos + 1 )
If @@ERROR <> 0 Break -- insert item
Insert @Temp1 Values( @item ) If @@ERROR <> 0 Break
-- get position pf next item
Select @iPos = Charindex( @Delimiter, @List, 1 )
If @@ERROR <> 0 Break
End
Return
End
FYI: I'm getting @List value from a table and passing it as a string to split function.
Any help would be appreciated!
ZK

fixed the issue by using Replace function like
Replace(value,'''''','''')
Big Thanks Patrick Hurst!!!!! :)
Though I came to another issue which I posted here:
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/a26469cc-f7f7-4fb1-ac1b-b3e9769c6f3c/split-function-unable-to-parse-string-correctly?forum=transactsql
ZK

Reading String within the single quotes

Hi All,
Can you please let me know, how to read a String within the sinle quote in line.
I have to read a report into internal table and again from that I need to read a string within the single quote. Please help me in this.
Thanks in Advance,
Raghu

I have the following code:
REPORT test.
DATA: v_test(05) TYPE c.
v_test = TTT.
I am getting this errror:
Field TTT is unknown. It is neither kin on e of the specified tables nor defined by a DATA statement.
For some reason, my single quote is not being recognized from my keyboard. I noticed that my emotion icons are not being displayed either (example: I type and i do NOT get the smiley face on my end).
Is there a button that I pressed that caused that?

SQL Injection, replace single quote with two single quotes?

Is replacing a single quote with two single quotes adequate
for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp
) offers that advice, and it
enabled me to allow users to search name fields in the
database that contain
single quotes.
I was advised to use "Paramaterized SQL" in an earlier post,
but I can't
understand the concept behind that method, and whether it
applies to
queries, writes, or both.

Then you can use both stored procedures and prepared
statements.
Both provide better protection than simply replacing
apostrophes.
Prepared statements are simple:
Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email])
VALUES (?, ?)"
...snip...
myCommand.Parameters.Append
myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that
tell ADO not to
look for rows to be returned. This saves the expense of
creating a
recordset object you don't need.
Stored procedures are executed in a similar manner. DW can
help you with a
stored procedure through the "Command (Stored Procedure)"
server behavior.
You can see a full example of a prepared statement by looking
at DW's
recordset code after you've created a recordset using version
8.02.
"Mike Z" <[email protected]> wrote in message
news:eo5idq$3qr$[email protected]..
>I should have repeated this, I am using VBScript in ASP,
with an Access DB.
>

How to pass presentation variable with enclosing single quotes

HI All,
As all of you know in 11g, Presentation variable can hold more than one value.So we can pass multiple values to the report through presentation variable.
If we select x,y,z values from prompt drop down,then those values will be stored like x,y,z in the presentation variable.
but I would like to store these values with enclosing single quotes like 'x,y,z'
The reason is I need to pass this variable value as input to BI Publisher sql dataset query where clause.
Please share your Ideas.
Thanks,
Aravind

Aravind,
Check this
Predefined Presentation Variables in OBIEE 11G | Praveen&#039;s Blog

Trouble with inserting a string containing a single quote

Using php with Oracle
If I do the following two lines before sending my $Query string through the parse function
$name = "Dominick's";
$Query = "INSERT INTO customers (name) values ('$name')";
it gives me the following error:
Warning: Ora_Parse failed (ORA-00917: missing comma -- while processing OCI function OPARSE)
If I try and force the single quote to be surrounded by double quotes and therefore not be confused:
$name = "Dominick's";
Query = "INSERT INTO customers (name) values (\"$name\")";
Trying that yields the following error:
Warning: Ora_Parse failed (ORA-01741: illegal zero-length identifier -- while processing OCI function OPARSE)
Help
Jeff

If it is possible (and here it is) you should use str_replace instead of ereg_replaceThanks for the reminder about str_replace().
$Query = "INSERT INTO customers (name) values ('".addSlashes($name)."')";This gives an invalid Oracle SQL statement, which will generally fail with
ORA-01756: quoted string not properly terminatedFor Oracle, single quotes must be doubled, not escaped with backslash.
Of the solutions to insert the data, I'd prefer using bind variables
since no escaping or quote doubling is needed.
-- CJ

String value changes single quote ' to double quote "

I am creating a list with different bill codes within single
quotes as follows
<cfset corlist = " '1100 ','1200 ','1300 ','1700 ','1800
','1950 ','7001 ' ">
when I do an output
for
<cfoutput>AND idbillcode IN ( #corlist
#)</cfoutput>
I get the values as follows
AND idbillcode IN ( '1100 ','1200 ','1300 ','1700 ','1800
','1950 ','7001 ')
However when I put the same string within a cfquery the
single quotes get replaced by double quotes as follows
AND idbillcode IN ( ''1100 '',''1200 '',''1300 '',''1700
'',''1800 '',''1950 '',''7001 '') which throws an error.
Anybody has any clues.
Thanks.

However when I put the same string within a cfquery the
single quotes
get replaced by double quotes as follows
AND idbillcode IN ( ''1100 '',''1200 '',''1300 '',''1700
'',''1800
'',''1950
'',''7001 '') which throws an error.
Anybody has any clues.
That is ColdFusion escaping the single quotes, by doubling
them so that
you can search for strings such as "singhpk's code does not
work".
(Note the single quote/apostrophe that would normally break
this string
if it was not escaped.
To tell CF not to do this, one uses the
preserveSingleQuotes() function.
The documentation has all the details.

How to Search strings with and without quotes

Hello,
I need to search a string with quote and without quote the same way
Ex: Wendy's
If user enters wendys without ' also need to return all the Wendy's..!
I appreciate any help...!
Thanks
RG

Hi,
RG wrote:
Hello,
I need to search a string with quote and without quote the same way
Ex: Wendy's
If user enters wendys without ' also need to return all the Wendy's..!
I appreciate any help...!So you want to ignore single-quotes, is that it?
Here's one way:
INSTR ( REPLACE (big_string,       '''')
      , REPLACE (substring_sought, '''')
      ) > 0
I hope this answers your question.
If not, post a little sample data (CREATE TABLE and INSERT statements, relevant columns only) for all the tables involved, and the results you want from that data.
Explain, using specific examples, how you get those results from that data.
Always say what version of Oracle you're using (e.g. 11.2.0.2.0).
See the forum FAQ {message:id=9360002}

REGEXP_LIKE help with literal single-quote

I'm trying to write a check constraint to validate email addresses that may include an apostrophe in the email address. Such as joe.o'[email protected] Here is my sample setup:
create table emails
( email_address varchar2(150)
insert into emails values('[email protected]') ;
insert into emails values('[email protected]') ;
insert into emails values('joey.o''[email protected]') ;
commit;
sql> select * from emails;
EMAIL_ADDRESS
[email protected]
[email protected]
joey.o'[email protected]
alter table emails add constraint email_address_format_ck
CHECK ( REGEXP_LIKE ( email_address, '^[a-z0-9._%-]\'?+@[a-z0-9._%-]+\.mil$','c'));
ERROR at line 2:
ORA-00911: invalid characterIt doesn't like *\'?*
My understanding is this means one or more single-quotes. Anyone know the correct syntax to accept apostrophes?

Hi,
jimmyb wrote:
... insert into emails values('joey.o''[email protected]') ;
That's the correct way (actually, that's one correct way) to include a single-quote in a string literal: use 2 single-quotes in a row.
... alter table emails add constraint email_address_format_ck
CHECK ( REGEXP_LIKE ( email_address, '^[a-z0-9._%-]\'?+@[a-z0-9._%-]+\.mil$','c'));Here, the 2nd argument to REGEXP_LIKE is a string literal, just like 'joey.o''[email protected]' was a string literal.
To include a single-quote in the middle of this string literal, do the same thing you did before: use 2 of them in a row:
CHECK ( REGEXP_LIKE ( email_address, '^[a-z0-9._%''-]+@[a-z0-9._%-]+\.mil$','c'));There were a couple of other problems, too.
I'm sure you meant for the apostrophe to be inside the square brackets. Inside square brackets, \ does not function as an escape character. (Actually, single-quote has no special meaning in regular expressions, so there's no need to escape it anyway.)
I'm not sure what the '?' mark was doing; I left it out.
Of course, you'll have trouble adding the CHECK constraint if any existing rows violate it.
Edited by: Frank Kulash on Feb 10, 2012 6:52 PM

Update with a Single Quote value

how do i update a field containing a sigle quote in a record ?
e.g :
i have a table s_order_item_xa
filed: attr_name
old value: Noofndk
new value: Noofn's
how can i update above field value? i am using row_id in where condition to identify rows which i want to update.

Hi,
Is the question "How can I include a single-quote character in a string literal?", then the answer is to use 2 of them, like this:
UPDATE books
SET     dewey_num = '291''.4'
WHERE   dewey_num = '291.4'
;In Oracle 10 (and up) you can also use Q-notation. For example:
UPDATE books
SET     dewey_num = Q'[291'.4]'
WHERE   dewey_num = '291.4'
;Edited by: Frank Kulash on Sep 14, 2009 9:51 AM

String with embedded single quote

Similar Messages

Maybe you are looking for