Hey I want to select records with name O'Neil, How can i do that in Informix.
select * from name_table where lastname = 'O'Neil' --> Doesn't Work.
You must escape single quote with another single quote:
select * from name_table where lastname = 'O''Neil';
With Informix, you generally have two choices.
The Standard SQL technique (described by Michal Niklas) always works and is the simple, recommended solution. All appearances of a single quote in a string are doubled up:
SELECT * FROM Name_Table WHERE LastName = 'O'Neill';
An alternative technique that works unless you have set DELIMIDENT in your environment is to use double quotes around the string:
SELECT * FROM Name_Table WHERE LastName = "O'Neill";
If delimited identifiers are enabled by DELIMIDENT, then this has a different meaning; the DBMS will be looking for a column called "O'Neill" in the table (because it is an identifier, not a string).
If you have both quotes in a string, then you have to be be careful:
SELECT * FROM QuoteTable WHERE Quote = 'He said, "Don''t"!';
SELECT * FROM QuoteTable WHERE Quote = "He said, ""Don't""!';
My 2nd answer with proposition of technology change.
I don't know what technology you use, but maybe you can use PreparedStatements. Example in Jython (Python that can use JDBC drivers):
db = DriverManager.getConnection(jdbc_url, usr, passwd)
pstm = db.prepareStatement("select * from name_table where lastname=?")
pstm.setString(1, "O'Neil")
rs = pstm.executeQuery()
while (rs.next()):
print('[%s]' % (rs.getString(1)))
As you see PreparedStatement use ? as a placeholder and then you must fill it using setString() method. It is very useful if you have to do many similar selects, inserts etc. Have a look at Java6 documentation for this: http://docs.oracle.com/javase/6/docs/api/java/sql/PreparedStatement.html
Similar techniques can be user for ODBC or other technologies.
Related
I m using JSQLPARSER for the first time and I wonder if it s possible to detect remote links (oracle dblink)?
If for example a simple select * from table1#remote
For JSqlParser this would be no special identifier. However, it will accept it as a normal table name. You could extract all used table names using something like:
String sql = "select * from table1#remote";
Statement stmt = CCJSqlParserUtil.parse(sql);
TablesNamesFinder tablesNamesFinder = new TablesNamesFinder();
List<String> tableList = tablesNamesFinder.getTableList(stmt);
assertEquals(1, tableList.size());
assertTrue(tableList.contains("table1#remote"));
And after that, you have to check, like I did with junits assertions, if a table name matches remote dblink syntax.
The Scenario
4 columns, ID, ParentID, Category, OrderNo and Category can have commas in it e.g "Sales, Manager" or "HR, Recruitment" so I would have to handle that without being able to know that the words have quotes around them as the files they use don't so I would need to handle rows with odd number of commas and then treat those rows as ones with categories with commas inside so it's a little more complicated.
I'd personally use the Microsoft Text Driver to parse CSV files, makes dealing with the data alot easier.
First create a text.dsn file and save it somewhere in your web app (in the example i'll assume its where the CSV file is located)
[ODBC]
DRIVER=Microsoft Text Driver (*.txt; *.csv)
UID=admin
UserCommitSync=Yes
Threads=3
SafeTransactions=0
PageTimeout=5
MaxScanRows=25
MaxBufferSize=512
ImplicitCommitSync=Yes
FIL=text
Extensions=txt,csv,tab,asc
DriverId=27
Then treat it as a normal db connection eg:
strPath = server.mappath("/csv/")
sDSNFile = "text.dsn"
strCSVFile = "test.csv"
sDSN = "FileDSN=" & strPath & sDSNFile & ";DefaultDir=" & strPath & ";DBQ=" & strPath & ";"
Set Conn = CreateObject("ADODB.Connection")
Conn.Open sDSN
sql = "SELECT * FROM [" & strCSVFile & "]"
set rs = conn.execute(sql)
do until rs.eof
id = rs("ID")
ParentID = rs("ParentID")
Category = rs("Category")
OrderNo = rs("orderno")
' do something cool here
loop
This way you could pull say all developers out using standard sql
sql = "SELECT * FROM [" & strCSVFile & "] where Category='Developer'"
Hope this helps.
ps. If you don't have it installed, I think the text driver is included as part of Microsoft Access Database Engine redistributable, but it has been a while so may be wrong :)
I have the following sample code. The objective is to run SQL statement with multiple input parameters.
[<Literal>]
let connectionString = #"Data Source=Localhost;Initial Catalog=Instrument;Integrated Security=True"
[<Literal>]
let query = "SELECT MacroName, MacroCode FROM Instrument WHERE MacroCode IN (#codeName)"
type MacroQuery = SqlCommandProvider<query, connectionString>
let cmd = new MacroQuery()
let res = cmd.AsyncExecute(codeName= [|"CPI";"GDP"|]) |> Async.RunSynchronously
However, codeName is inferred to be string type instead of an array or list and give me an error.
Alternatively, I could run the query without where statement and filter based on the result. However, in lots of other cases that returns millions of rows, I would prefer filter data at the SQL server level to be more efficient.
I didn't find any relevant samples on the documentation of fsharp.data.sqlclient. Please help!
"See Table-valued parameters (TVPs)" section in the documentation:
http://fsprojects.github.io/FSharp.Data.SqlClient/configuration%20and%20input.html
If you have an upper bound n on the values in the IN list, you could just make n parameters. If that's unmanageable, I'm afraid the TVP suggestion is your best option. The reason the FSharp.Data.SqlClient library is unlikely to ever support this directly is because the types are generated based on results from sp_describe_undeclared_parameters; there's no T-SQL parser. We had a single digit upper bound in this scenario and were loathe to change the database, so this option worked for us.
You can use STRING_SPLIT to abstract away the use of table-valued parameters. It seems you have to also declare the param first.
DECLARE #param varchar(1000) = #commaSeparatedList
SELECT Col1 FROM MyTable
WHERE Col2 IN (
SELECT value FROM STRING_SPLIT(#param, ',')
)
what is the best way to escape a Search String from an input field to prevent SQLInjections?
Is there an mysql_real_escape_string method like in PHP or should i manually replace/escape the different characters like: OR, AND, LIKE, WHERE, DELETE, INSERT, UPDATE, FROM, GROUP BY, ORDER BY and so on?
closed with the answer from: #Nick Weaver:
I don't think that you have to take care about that.
Using mysql_real_escape_string for a search query is a good option. However you need to be aware of 2 things :
1) If you apply this solution in an other situation, make sure the parameter is always quoted when it gets integrated. In short, mysql_real_escape_string does not protect you against numeric parameters. Here are 2 examples :
$bad_sql = "SELECT * FROM some_table WHERE id=" . mysql_real_escape_string($_GET['id']);
$good_sql = "SELECT * FROM some_table WHERE name='" . mysql_real_escape_string($_GET['id']) . "'";
2) The second thing to consider is that mysql_real_escape_string does not escape wildcard characters (% and _). You should not worry about that. However, a "perfect" solution escape those characters.
For more information you can take a look at http://www.sqlinjection.net.
FYI : The official mysql_real_escape_string reference http://php.net/manual/en/function.mysql-real-escape-string.php.
I want to create a search function on my website, and I don't want to use a plugin for this thing, because it's very simple, but I can't solve this problem:
I give the keyword to the model which creates a query, but I couldn't figure out how to put joker characters in this query.
I'm using Propel
Dennis
The filterByXXX() query functions will use LIKE when your query contains wildcards:
$books = BookQuery::create()
->filterByTitle('War%')
->find();
// example Query generated for a MySQL database
$query = 'SELECT book.* from `book` WHERE book.TITLE LIKE :p1'; // :p1 => 'War%'
Remember, the wildcards you can use in SQL are _ for exactly one and % for zero or more characters. So not ? or *.