I'm receiving an error regarding the following syntax used for pattern matching:
'%[0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][.-][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][.-][0-9][0-9][0-9][0-9][0-9][0-9]'
SQL SERVER 2008 does not like the [.-] portion.
What is the correct syntax when looking for only a period or a hyphen as the segment separator?
Thanks
You probably just need to escape the hyphen...
WHERE SomeColumn LIKE '%[0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][.!-][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][0-9,A-Z][.!-][0-9][0-9][0-9][0-9][0-9][0-9]' ESCAPE '!'
Related
I have an update query that updates a column that holds another application SQL query.
Putting SQL inside has been problematic I wanted to resolve it with escape characters.
update
my_table
set
sql_column = 'UPDATE inner_table SET user_name=\'user_name\' text=\'this this free text with things like \" inside it and drives me made\''
where
condition_col = 123456
The above is correct in any SQL syntax checker; however, Sybase throws an error simply Incorrect syntax new 'username.'
I am new to Sybase; please help.
I was expecting that Sybase would behave like MySQL, which is different.
Sybase (and ansi-standard SQL*) escapes the single quote with itself. You don't need to do anything special with a double quote inside a string literal (since in ansi-standard SQL double quotes do not create literals).
sql_column = 'UPDATE inner_table SET user_name=''user_name'' text=''this this free text with things like \\" inside it ...'
But Sybase will NOT behave like MySQL (it's far more standards compliant).
Lacking some context here, but this kind of code is also likely to end up leaving you dangerously susceptible to SQL injection issues, and that's a really big deal.
* The link is for Informix, but it does a good job explaining the standard
I have a query that contains some characters that cause a syntax error because contains reserved characters and I am battling to understand how to escape the string correctly.
The query is:
SELECT * FROM `products`
WHERE MATCH (code, description)
AGAINST (UPPER(+("intel"*) +("cpu"*)) IN BOOLEAN MODE)
But when I run this query I get the following error:
1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ') +("cpu"*)) ) IN BOOLEAN MODE)' at line 1
Okay so fine it does not like the ) as it would indicate that the AGAINST is being closed however it is not (yet). So I tried to escape it with a backslash but it still throws the same error.
If I try this in PHP using a prepared statement while binding the search string +("intel"*) +("cpu"*) into the statement it works. So it seems that the way that it escapes it is not with a backslash or that there is something else.
So I was looking at the PHP documentation for mysqlescapestring and I saw that it: "prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.".
Which indicate that the single and double quotes need to be escaped and I tried to do this but it just throws the same syntax error but on the double quote character, i.e. to use near '\"intel\"*\)...
I do understand that it would be best to use prepared statements and that this solves the problem but I just want to understand what I have done wrong here and how I could escape a string like this within an AGAINST clause as I have done here.
If anyone could suggest where I have going wrong with this then it would be greatly appreciated. Thank you.
Well, I managed to solve this.
I read an answer on another so question that helped me here. What I realised is that when a prepared statement includes the relative object it encapsulates it with quotes, so in actual fact UPPER(?) would become UPPER("prepared string") which means that UPPER(+("intel"*) +("cpu"*)) should actually be UPPER('+("intel"*) +("cpu"*)').
So the result is:
SELECT * FROM `product`
WHERE MATCH (code, description)
AGAINST (UPPER('+("intel"*) +("cpu"*)') IN BOOLEAN MODE)
Which does work without syntax errors.
As a note, if you are escaping strings in MySQL it would be worthwhile to note that MySQL uses C escape syntax in strings.
Having followed some tips on escaping apostrophes I am getting an unexpected combination of escape characters in the resulting sql statement. The following rails 4 active record statement is run against 5.5.42-MariaDB:
User.where(["surname LIKE ?", "%#{params[:search]}%"])
Where
params[:search] = "O'Keefe"
A .to_sql generates
SELECT * FROM users WHERE surname LIKE '%O\\'Keefe%'
MySQL/MariaBD expects an apostrophe to be escaped as two single apostrophes '' , or with a single backslash \' so this results in a syntax error. I am looking for help to understand why two backslashes \\' are appearing, and for a solution that will maintain protection against SQL injection.
UPDATE
After further investigation following suggestions below, it appears as though the console .to_sql output SELECT * FROM users WHERE surname LIKE '%O\\'Keefe%' is not what is passed onto MySQL. It failed for me 'cos I simply copied the statement into a mysql console to test execution. There is some black magic on route to the database that converts the double backslash \\' into a valid mysql escape sequence.
So problem 1/2 solved
User.where(["surname LIKE ?", "%#{params[:search]}%"])
is valid syntax that correctly auto-escapes the user input string. But can anyone shed any light on the reason for the generation of the double backslash and how it is modified on its way to database execution?
Try this:
User.where(["surname LIKE ?", "%#{params[:search].gsub("'", "''")}%"])
http://dev.mysql.com/doc/refman/5.0/en/string-literals.html#character-escape-sequences
The ' ' character cannot be included in a name.
I use a log manager to log the error to SQL Server 2008 database. Of course, it will raise another error in the SQL Server because it contains special characters' ' . So what is the best way to handle special characters in SQL Server.
This is because you are using a space in an XML name. Correct your XML code to not have spaces in any tag names, this isn't SQL Server 2008 specific.
To get a column to handle special characters define it as a NVARCHAR instead of a VARCHAR.
Your question is a bit vague. Do you want to prevent the user from having a space? And if so, do you want to not allow there to be a space character, or just get the space character out? If so, do something like replace(#yourInputString, ' ', '').
If this is not what you are looking for, please clarify your question and your exact requirements.
Is there a way to escape the * character in a full text Contains function in sql server 2008? I've tried a standard escape by using square brackets, but that just throws a syntax error.
Also, any solution can only use full-text functions as the column I'm searching is an image/blob column.
There is no point in escaping and searching for special characters such as * because they are treated like word separators and are not indexed. Fulltext indexes do not support searching for them.
See also related question SQL Server Full Text Search Escape Characters?