I am trying to replace newline characters in the DB with <br/> tags and have the following mySQL query string written in Perl.
my $queryString = "Select REPLACE(r.form_text,'\n','<br /> '), ... FROM myTable r;"
For some reason, \n is treated as a newline from within perl and does not seem to replace it with <br/>. Here is what I got when I tried to print $queryString
REPLACE(r.form_text,'
','< br /> ')
I tried to use \\n and \\\n and it didn't work either. I apologize if this is a repeated question. Please let me know if I'm missing something here.
Of course you get a newline. When you use double quotes to quote a string anything inside it is interpolated, and \n becomes a literal newline. If you want a literal \n, you need to prevent interpolation. Usually, you would use single quotes, but that is impractical since you have those in the string already. So instead, use the q() feature.
my $queryString =
q|Select REPLACE(r.form_text,'\n','<br /> '), ... FROM myTable r;|;
Note that you can use a wide variety of delimiters for q(), in this case, I used pipe |. If you try and print this string, it should have a literal \n. Documentation here.
Related
The MySQL documentation says that it should be \'. However, both scite and mysql shows that '' works. I saw that and it works. What should I do?
The MySQL documentation you cite actually says a little bit more than you mention. It also says,
A “'” inside a string quoted with “'” may be written as “''”.
(Also, you linked to the MySQL 5.0 version of Table 8.1. Special Character Escape Sequences, and the current version is 5.6 — but the current Table 8.1. Special Character Escape Sequences looks pretty similar.)
I think the Postgres note on the backslash_quote (string) parameter is informative:
This controls whether a quote mark can be represented by \' in a string literal. The preferred, SQL-standard way to represent a quote mark is by doubling it ('') but PostgreSQL has historically also accepted \'. However, use of \' creates security risks...
That says to me that using a doubled single-quote character is a better overall and long-term choice than using a backslash to escape the single-quote.
Now if you also want to add choice of language, choice of SQL database and its non-standard quirks, and choice of query framework to the equation, then you might end up with a different choice. You don't give much information about your constraints.
Standard SQL uses doubled-up quotes; MySQL has to accept that to be reasonably compliant.
'He said, "Don''t!"'
What I believe user2087510 meant was:
name = 'something'
name = name.replace("'", "\\'")
I have also used this with success.
There are three ways I am aware of. The first not being the prettiest and the second being the common way in most programming languages:
Use another single quote: 'I mustn''t sin!'
Use the escape character \ before the single quote': 'I mustn\'t sin!'
Use double quotes to enclose string instead of single quotes: "I mustn't sin!"
just write '' in place of ' i mean two times '
Here's an example:
SELECT * FROM pubs WHERE name LIKE "%John's%"
Just use double quotes to enclose the single quote.
If you insist in using single quotes (and the need to escape the character):
SELECT * FROM pubs WHERE name LIKE '%John\'s%'
Possibly off-topic, but maybe you came here looking for a way to sanitise text input from an HTML form, so that when a user inputs the apostrophe character, it doesn't throw an error when you try to write the text to an SQL-based table in a DB. There are a couple of ways to do this, and you might want to read about SQL injection too.
Here's an example of using prepared statements and bound parameters in PHP:
$input_str = "Here's a string with some apostrophes (')";
// sanitise it before writing to the DB (assumes PDO)
$sql = "INSERT INTO `table` (`note`) VALUES (:note)";
try {
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':note', $input_str, PDO::PARAM_STR);
$stmt->execute();
} catch (PDOException $e) {
return $dbh->errorInfo();
}
return "success";
In the special case where you may want to store your apostrophes using their HTML entity references, PHP has the htmlspecialchars() function which will convert them to '. As the comments indicate, this should not be used as a substitute for proper sanitisation, as per the example given.
Replace the string
value = value.replace(/'/g, "\\'");
where value is your string which is going to store in your Database.
Further,
NPM package for this, you can have look into it
https://www.npmjs.com/package/mysql-apostrophe
I think if you have any data point with apostrophe you can add one apostrophe before the apostrophe
eg. 'This is John's place'
Here MYSQL assumes two sentence 'This is John' 's place'
You can put 'This is John''s place'. I think it should work that way.
In PHP I like using mysqli_real_escape_string() which escapes special characters in a string for use in an SQL statement.
see https://www.php.net/manual/en/mysqli.real-escape-string.php
please look here:
UPDATE cars_tbl
SET description = '{\rtf1'
WHERE (ID=1)
Description field is "blob", where my RTF document is to be stored.
When I check updated data I always find
{
tf1
\r simply disapears. I tried to find solution on the web, but no success. My rtf files are corrupted on many places, because the escape characters used in the string are substituted. How to suppress this substitution and update field with string as is?
Thanx for advice
Lyborko
Backslash is an escape character, so to keep it you need a double backslash:
UPDATE cars_tbl
SET description = '{\\rtf1'
WHERE (ID=1)
As an aside \r is a carriage return.. and it hasn't disappeared in your data; it is responsible for tf1 appearing on the line below the {.
You can achieve this with a more generic approach
use of QUOTE() in mysql
MySQL QUOTE() produces a string which is a properly escaped data value in an SQL statement, out of an user supplied string as argument.
The function achieve this by enclosing the string with single quotes, and by preceding each single quote, backslash, ASCII NUL and control-Z with a backslash.
example
UPDATE cars_tbl
SET description = QUOTE('{\rtf1')
WHERE (ID=1)
UPDATE
to escape your RTF you can also just use REPLACE this way all your \ will become \\
Example
UPDATE cars_tbl
SET description = REPLACE('{\rtf1', '\', '\\')
WHERE (ID=1)
I Have selected these lines from Mysql official site dev.mysql.com.
I am unable to understand what these lines means.
There are several ways to include quote characters within a string:
A “'” inside a string quoted with “'” may be written as “''”.
A “"” inside a string quoted with “"” may be written as “""”.
I did not understand how this sql.
mysql> SELECT 'hel''lo';
Outout: hel'lo
Please Help
You have a string inside single quotes, then it finds another quote, escaped by yet another code. So, it will translate into
'(start of string)hel'(escaping the next quote)'(the escaped quote)lo'(ending the string)
And thus outputting:
hel'lo
It's simple. If you need to put a quote within a string literal delimited by those quotes, you can't use just a standalone quote character (like 'O'Brien') since there's no easy way to tell which of the second or third quote is the closing quote.
So they introduce a rule. If the SQL interpreter is within a quoted string and it finds another quote, it uses these rules:
if the quote is immediately followed by another quote, assume the user wants one quote within the literal.
otherwise it's the closing quote for the literal.
So, for example, consider:
select * from people where surname = 'O'Brien' order by id
Now you and I can tell which of those quotes actually terminates the string literal because we understand how names work. The computer does not take that for granted, instead requiring:
select * from people where surname = 'O''Brien' order by id
and turning the '' inside the literal into a single '.
I have a text file of data that I am importing into a MySQL database. Some of the lines unfortunatley contain quotation marks, which causes my SQL queries to go haywire. I would like to get rid of any field that has quotation marks, or at very least ignore them in my query.
I found something that might work, but being as this is run through a Perl script I am having issues "escaping" the quotation marks. I really don't know how and can't figure it out. I would like to just search through my table and delete any quotation marks (") that it may find or replace it with a single quotation mark or space or anything really.
my $myreplacequery = "REPLACE(s.Title, '"','')";
$sth = $dbh->prepare($myreplacequery);
$sth->execute;
Anyone have any ideas?
Thanks!
Change query to UPDATE on this table:
update tablename set title = REPLACE(title,'\"','\'') where title like '%\"%'
Perl has q and qq (quote-like operators) for this kind of situation. They allow you to choose the quote character to use. q acts like a single-quote (') and doesn't interpolate (expand variables) while qq acts like a double quote (") and does.
my $replacequery = q{REPLACE(s.Title, '"','')};
You actually want to pass a string consisting of a single quote to REPLACE for its 3rd arg, but you're passing an empty string. The necessary SQL is:
REPLACE(s.Title, '"', '\'')
To create that string in Perl, you could use either of the following string literals:
"REPLACE(s.Title, '\"', '\\'')" # Produces: REPLACE(s.Title, '"', '\'')
qq{REPLACE(s.Title, '"', '\\'')} # Produces: REPLACE(s.Title, '"', '\'')
Notice how " needed to be escaped. Without it, Perl would see the following string literal (followed by junk):
"REPLACE(s.Title, '"
^ ^
| |
start end
of string of string
literal literal
The MySQL documentation says that it should be \'. However, both scite and mysql shows that '' works. I saw that and it works. What should I do?
The MySQL documentation you cite actually says a little bit more than you mention. It also says,
A “'” inside a string quoted with “'” may be written as “''”.
(Also, you linked to the MySQL 5.0 version of Table 8.1. Special Character Escape Sequences, and the current version is 5.6 — but the current Table 8.1. Special Character Escape Sequences looks pretty similar.)
I think the Postgres note on the backslash_quote (string) parameter is informative:
This controls whether a quote mark can be represented by \' in a string literal. The preferred, SQL-standard way to represent a quote mark is by doubling it ('') but PostgreSQL has historically also accepted \'. However, use of \' creates security risks...
That says to me that using a doubled single-quote character is a better overall and long-term choice than using a backslash to escape the single-quote.
Now if you also want to add choice of language, choice of SQL database and its non-standard quirks, and choice of query framework to the equation, then you might end up with a different choice. You don't give much information about your constraints.
Standard SQL uses doubled-up quotes; MySQL has to accept that to be reasonably compliant.
'He said, "Don''t!"'
What I believe user2087510 meant was:
name = 'something'
name = name.replace("'", "\\'")
I have also used this with success.
There are three ways I am aware of. The first not being the prettiest and the second being the common way in most programming languages:
Use another single quote: 'I mustn''t sin!'
Use the escape character \ before the single quote': 'I mustn\'t sin!'
Use double quotes to enclose string instead of single quotes: "I mustn't sin!"
just write '' in place of ' i mean two times '
Here's an example:
SELECT * FROM pubs WHERE name LIKE "%John's%"
Just use double quotes to enclose the single quote.
If you insist in using single quotes (and the need to escape the character):
SELECT * FROM pubs WHERE name LIKE '%John\'s%'
Possibly off-topic, but maybe you came here looking for a way to sanitise text input from an HTML form, so that when a user inputs the apostrophe character, it doesn't throw an error when you try to write the text to an SQL-based table in a DB. There are a couple of ways to do this, and you might want to read about SQL injection too.
Here's an example of using prepared statements and bound parameters in PHP:
$input_str = "Here's a string with some apostrophes (')";
// sanitise it before writing to the DB (assumes PDO)
$sql = "INSERT INTO `table` (`note`) VALUES (:note)";
try {
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':note', $input_str, PDO::PARAM_STR);
$stmt->execute();
} catch (PDOException $e) {
return $dbh->errorInfo();
}
return "success";
In the special case where you may want to store your apostrophes using their HTML entity references, PHP has the htmlspecialchars() function which will convert them to '. As the comments indicate, this should not be used as a substitute for proper sanitisation, as per the example given.
Replace the string
value = value.replace(/'/g, "\\'");
where value is your string which is going to store in your Database.
Further,
NPM package for this, you can have look into it
https://www.npmjs.com/package/mysql-apostrophe
I think if you have any data point with apostrophe you can add one apostrophe before the apostrophe
eg. 'This is John's place'
Here MYSQL assumes two sentence 'This is John' 's place'
You can put 'This is John''s place'. I think it should work that way.
In PHP I like using mysqli_real_escape_string() which escapes special characters in a string for use in an SQL statement.
see https://www.php.net/manual/en/mysqli.real-escape-string.php