i am using windows forms application with MSAccess.... i got data from database table successfully but when i am trying to add data with (') character i got the exception that "OLEDB Exception: Syntax error(Missing Operator)inquery expression" ... Now how can i solve this problem? Plz tell me the solution of this problem....
all characters are accepted but apostrophe character only got error...
Thanks in Advance
This is not realted to MsAccess - the ' is a string delimiter in SQL.
Look at the SQL satement you submit to the database and you will find out it may look something like
SELECT FROM Users WHERE NAME LIKE 'mc'donald'
and
'mc'donald'
has a ' too much.
You need to escape those ('mc''donald') OR - better - use parameters.
Also read up on SQL Injection Attacks - the basics there tell you a lot about how to properly deal with databases.
Related
unclosed quotation mark after the character string 'HD10'.
I have read a lot of solution for this error and it is clearly stated because of ('). However i have done search the greatness apostrophe in my sql.
select * from Voucher where VoucherNo like '%''%'
it came out nothing. This actually means something good. My data are great. But the bad news is, I still cant solve this.
I also did search any truncate or duplicate just, i dont know, hoping it shows somewhere even i know thats not what is about. And this shows no sign of truncate nor duplicate.
If anyone really knows something (beside of giving the same advice to do what i already done), it would help a lot. Thank you.
-----EDITTED-------
this is my program code
public override VoucherCollection GetVoucherWhere(string whereCondition)
{
VoucherCollection VoucherCollection = new VoucherCollection();
Database db = SqlDataHelper.CreateConnection(_sqlConnectionString);
DbCommand dbCommand = db.GetStoredProcCommand("SP_SELECT_Voucher_WHERE");
db.AddInParameter(dbCommand, "whereExpression", DbType.String, " " + whereCondition);
using (IDataReader dataReader = db.ExecuteReader(dbCommand))
**I dont think the error come from the codes, as this program have been running for 2 years. However, it only came right after my client running a new voucher for a bonus. (And the person who run this thing have already transferred to a different department)
The where statement shows all the voucherno in DB.
The dbcommand shows the exception.
im using sql server 2008
Try
select * from Voucher where VoucherNo like '%''''%'
' is opening/closing string char so when you want ' in between string, you will
need escape sequence that is other ' char
for 2 ' chars, two esc char '
ie. ''''
I am taking the input of address from the user in my existing application.
The issue which is coming often is that the user enters any apostrophe or quotation in data due to which exception occurs.
For example :
The user input is :
PLOT # B-102 BLOCK 'C'
Due to the quotes, exception occurs when the data is inserted in database as it looks the syntax mistake in oracle database.
I gone through the following example:
INSERT INTO Person
(First, Last)
VALUES
('Joe', 'O''Brien')
/\
right here
But it depends upon the location where the apostrophe will be inserted , but in my case I don't know whether and where will the user will try to insert such quotations.
How can I handle this ?
Can anyone please help me
Thanks in advance.
It seems like you are building your insert statement by concatenating the string. This is not a good practice. Your application will become vulnerable to SQL injections. You should use parametrized queries to do this.
If you still want to do this, you can use the replace method to replace ' to '' like following code snippet
Replace("'", "''")
To use parameterized queries check the following links.
http://www.techrepublic.com/article/shorten-development-time-by-using-parameterized-queries-in-adonet/
https://www.safaribooksonline.com/library/view/adonet-in-a/0596003617/ch04s04.html
You need to replace the single quotes with 2 single quotes to escape the single quote
string Address = txtAddress.Text;
Address = Address.Replace("'","''");
You can also try this...
string address = "PLOT # B-102 BLOCK \'C\'";
Details: https://msdn.microsoft.com/en-us/library/267k4fw5(v=vs.110).aspx
In C#, WPF, When user enter Single Quote (')
while saving that data in sqlite, it gives me an error : SQL logic error or missing database in 'S: syntax error.
P.S. ONLY WHEN USER ENTER AN Single Quote (') into the Textbox field.
Not with backslash () nor with (")or (`).Those works fine.
Any Suggestion...
It sounds like you are using string concatenation to produce SQL. This is a very bad idea! Read up on SQL Injection Attacks.
Instead you should be using prepared statements.
Please any one help me:
I run my application was created in C# for export data source t XML document, I also use try catch method for correct an error of database access (adapter.Fill(ds)). The problem is show below.
n_org:SELECTs_department.did,s_department.name,s_department.fk_deptFROMs_department
Index #0
Message: Incorrect syntax near ','.
LineNumber: 1
Source: .Net SqlClient Data Provider
Procedure:
Please give a suggestion or any correct code is ok.
Thanks
Your SELECT statement is all wrong - no spaces anywhere!
Instead of what you have right now:
SELECTs_department.did,s_department.name,s_department.fk_deptFROMs_department
use a statement that has the necessary spaces - like this:
SELECT s_department.did, s_department.name, s_department.fk_dept FROM s_department
I'm working on my first database application. It is a WinForms application written in C# using a SQLite database.
I've come across some problems, when a apostrophe is used, my SQLite query fails. Here is the structure of my queries.
string SQL = "UPDATE SUBCONTRACTOR SET JobSite = NULL WHERE JobSite = '" + jobSite + "'";
For instance, if an apostrophe is used in the jobSite var, it offsets the other apostrophes in the command, and fails.
So my questions are:
1. How do I escape characters like the apostrophe and semicolon in the above query example?
2. What characters do I need to escape? I know I should escape the apostrophe, what else is dangerous?
Thanks for your help!
Rather use Parameters
There is a previous stack-overflow question about it
Adding parameters in SQLite with C#
if you need more functionality you can also use Entity Framework
http://sqlite.phxsoftware.com/
Sorry not to familiar with the Syntax but the concept should same.
Something like :
SQLiteCommand Command = "UPDATE SUBCONTRACTOR SET JobSite = NULL WHERE JobSite = #JobSite";
Command.Parameters.Add(new SQLiteParameter("#JobSite", JobSiteVariable));
command.ExecuteNonQuery();
to escape an apostrophe add another apostrophe...
so a string like it's should be inserted as it''s
You may also need to escape quotation marks. The way to do this is to use a backslash as an escape charater...
like so... 'and he said\"escape all those quotes\"'
You should also beware of SQL injections... depending on the type of programming language you are using there exist different functions that can help clean out any malicious code.
C# tutorial on SQL Injections for example
You should never concatenate strings to build SQL queries for SQLite - or for any other SQL DB if possible. It makes your code fragile and opens up potential entry points for injection attacks.
The proper way to do it is to use hosted parameters. This approach removes the need for cumbersome string filtering. I am not sure how to do that in C# for SQLite but any decent language binding for SQLite should allow you to use hosted parameters.