unclosed quotation mark after the character string 'HD10'.
I have read a lot of solution for this error and it is clearly stated because of ('). However i have done search the greatness apostrophe in my sql.
select * from Voucher where VoucherNo like '%''%'
it came out nothing. This actually means something good. My data are great. But the bad news is, I still cant solve this.
I also did search any truncate or duplicate just, i dont know, hoping it shows somewhere even i know thats not what is about. And this shows no sign of truncate nor duplicate.
If anyone really knows something (beside of giving the same advice to do what i already done), it would help a lot. Thank you.
-----EDITTED-------
this is my program code
public override VoucherCollection GetVoucherWhere(string whereCondition)
{
VoucherCollection VoucherCollection = new VoucherCollection();
Database db = SqlDataHelper.CreateConnection(_sqlConnectionString);
DbCommand dbCommand = db.GetStoredProcCommand("SP_SELECT_Voucher_WHERE");
db.AddInParameter(dbCommand, "whereExpression", DbType.String, " " + whereCondition);
using (IDataReader dataReader = db.ExecuteReader(dbCommand))
**I dont think the error come from the codes, as this program have been running for 2 years. However, it only came right after my client running a new voucher for a bonus. (And the person who run this thing have already transferred to a different department)
The where statement shows all the voucherno in DB.
The dbcommand shows the exception.
im using sql server 2008
Try
select * from Voucher where VoucherNo like '%''''%'
' is opening/closing string char so when you want ' in between string, you will
need escape sequence that is other ' char
for 2 ' chars, two esc char '
ie. ''''
Related
I am taking the input of address from the user in my existing application.
The issue which is coming often is that the user enters any apostrophe or quotation in data due to which exception occurs.
For example :
The user input is :
PLOT # B-102 BLOCK 'C'
Due to the quotes, exception occurs when the data is inserted in database as it looks the syntax mistake in oracle database.
I gone through the following example:
INSERT INTO Person
(First, Last)
VALUES
('Joe', 'O''Brien')
/\
right here
But it depends upon the location where the apostrophe will be inserted , but in my case I don't know whether and where will the user will try to insert such quotations.
How can I handle this ?
Can anyone please help me
Thanks in advance.
It seems like you are building your insert statement by concatenating the string. This is not a good practice. Your application will become vulnerable to SQL injections. You should use parametrized queries to do this.
If you still want to do this, you can use the replace method to replace ' to '' like following code snippet
Replace("'", "''")
To use parameterized queries check the following links.
http://www.techrepublic.com/article/shorten-development-time-by-using-parameterized-queries-in-adonet/
https://www.safaribooksonline.com/library/view/adonet-in-a/0596003617/ch04s04.html
You need to replace the single quotes with 2 single quotes to escape the single quote
string Address = txtAddress.Text;
Address = Address.Replace("'","''");
You can also try this...
string address = "PLOT # B-102 BLOCK \'C\'";
Details: https://msdn.microsoft.com/en-us/library/267k4fw5(v=vs.110).aspx
I wanted to make my sql query bullet proof and found this question about sanitizing table/column names.
I followed the advices but somehow it doesn't work as expected.
My table name is foo.Bar so I passed it to the CommandBuilder's QuoteIdentifier method and it gave me [foo.Bar] back.
When I call (string)cmd.ExecuteScalar(); it complains that this table doesn't exist. So I tried to initially define the table name as [foo].[Bar]. In this case QuoteIdentifier creates [[foo]].[Bar]]] which also doesn't work.
The only thing that works is when I specify just [foo].[Bar] without using the QuoteIdentifier method.
At this point I'm wondering whether I can use it at all to protect my queries? It is not of much use and tuning the quoted query like another answer suggests also doesn't seem to be right.
Is there anything I can do to protect the query and make it work and accept the name [foo].[Bar] without breaking it?
This is how I'm creating the query:
cmd.CommandText = string.Format(
"SELECT {0} FROM {1} WHERE {2} = '{3}'{4}",
...,
sanitizedTableName, // only [foo].[Bar] works -- [[foo]].[Bar]]] and [foo.Bar] fail
...,
...,
...);
The problem is that the name of the table is bar, not foo.bar. You're using a multi-part identifier - foo is the schema, and bar is the table name.
To get proper quoting, you need to quote each identifier separately:
QuoteIdentifier(schemaName) + "." + QuoteIdentifier(tableName)
The reason for this should be obvious - it's perfectly valid for a quoted identifier to use . as part of the name. That's kind of the whole point of having quoting in the first place.
So throughout my program I have probably 50 or so text boxes in various places. I know how to replace a single quote with something (in this case ' -> \'), but I am thinking there must be a better way to do this than go through and add specific code for every single text box. I have to do this because when this stuff is getting sent to the database, if there is a single quote, it gives an error. Is there a way to change the default TextBox control behavior so that all textboxes in the program automatically replace all single quotes with \'?
EDIT:
string statement = "select count(*) from users where username='#username'";
MySqlCommand command = new MySqlCommand(statement, conn);
command.Parameters.AddWithValue("#username", username);
if (Convert.ToInt32(command.ExecuteScalar()) == 1)
I have been playing with the paramerterized code and this is what I have right now. From how I understand it, the statement string is basically the same as before, but where I used to have the variable "username" I know use a parameter (which I called #username), then the command is created. Then in the parameters.addwithvalue, it replaces the parameter username, with whatever is in the variable username. Unfortunately, this is not working for me, and I don't really see how it helps because username is still just getting stuck in the command?
EDIT: Found the problem, in the statement you don't need to put single quotes around '#username'
so it should be:
string statement = "select count(*) from users where username=#username";
Don't use concatenation to build SQL queries. Use proper parametrized queries. This will make repeated queries a bit faster and will also eliminate input sanitizing code (replacing ' with \' for example) and SQL injection attacks.
You should be using parameterized queries, not only to resolve the problem you have, but also to reduce your exposure to SQL injection. When you use string concatenation to build SQL queries you are suseptable to SQL injection attackes.
U can use onKeyUp javascript function or asp.net OnTextChanged event to create function that will change quotes.
I'm working on my first database application. It is a WinForms application written in C# using a SQLite database.
I've come across some problems, when a apostrophe is used, my SQLite query fails. Here is the structure of my queries.
string SQL = "UPDATE SUBCONTRACTOR SET JobSite = NULL WHERE JobSite = '" + jobSite + "'";
For instance, if an apostrophe is used in the jobSite var, it offsets the other apostrophes in the command, and fails.
So my questions are:
1. How do I escape characters like the apostrophe and semicolon in the above query example?
2. What characters do I need to escape? I know I should escape the apostrophe, what else is dangerous?
Thanks for your help!
Rather use Parameters
There is a previous stack-overflow question about it
Adding parameters in SQLite with C#
if you need more functionality you can also use Entity Framework
http://sqlite.phxsoftware.com/
Sorry not to familiar with the Syntax but the concept should same.
Something like :
SQLiteCommand Command = "UPDATE SUBCONTRACTOR SET JobSite = NULL WHERE JobSite = #JobSite";
Command.Parameters.Add(new SQLiteParameter("#JobSite", JobSiteVariable));
command.ExecuteNonQuery();
to escape an apostrophe add another apostrophe...
so a string like it's should be inserted as it''s
You may also need to escape quotation marks. The way to do this is to use a backslash as an escape charater...
like so... 'and he said\"escape all those quotes\"'
You should also beware of SQL injections... depending on the type of programming language you are using there exist different functions that can help clean out any malicious code.
C# tutorial on SQL Injections for example
You should never concatenate strings to build SQL queries for SQLite - or for any other SQL DB if possible. It makes your code fragile and opens up potential entry points for injection attacks.
The proper way to do it is to use hosted parameters. This approach removes the need for cumbersome string filtering. I am not sure how to do that in C# for SQLite but any decent language binding for SQLite should allow you to use hosted parameters.
i am using windows forms application with MSAccess.... i got data from database table successfully but when i am trying to add data with (') character i got the exception that "OLEDB Exception: Syntax error(Missing Operator)inquery expression" ... Now how can i solve this problem? Plz tell me the solution of this problem....
all characters are accepted but apostrophe character only got error...
Thanks in Advance
This is not realted to MsAccess - the ' is a string delimiter in SQL.
Look at the SQL satement you submit to the database and you will find out it may look something like
SELECT FROM Users WHERE NAME LIKE 'mc'donald'
and
'mc'donald'
has a ' too much.
You need to escape those ('mc''donald') OR - better - use parameters.
Also read up on SQL Injection Attacks - the basics there tell you a lot about how to properly deal with databases.