I have the following dml sql (generated by mysql wb):
INSERT INTO `status_need` VALUES (1,1,1,'famille cherchant une autre famille (pour garde partagée ou sortie d\'école)'),(2,1,2,'famille cherchant professionnelle de la garde d\'enfants'),(3,2,1,'professionnelle de la garde d\'enfants cherchant enfants à garder');
When I run it from java, it raises an error probably because of the apostrophe/quote within the value of the field.
I am not sure why that is because the quote is escaped by a backslash and what is more, this SQL was generated by mysql itself.
Can anyone please let me know how to solve this problem?
I'm guessing that your Java code has a string literal that looks like this:
"INSERT INTO `status_need` VALU...ie d\'écol..."
?
The reason that doesn't work is that in Java, inside a string literal, \' means '. You need to escape the backslash \ by writing \\ instead:
"INSERT INTO `status_need` VALU...ie d\\'écol..."
(Or, as danihp says, you can sidestep the issue by writing '' instead of \': MySQL supports both ways of escaping a single-quote inside a single-quoted string.)
Quoting mysql documentation:
There are several ways to include quote characters within a string:
A “'” inside a string quoted with “'” may be written as “''”.
A “"” inside a string quoted with “"” may be written as “""”.
Precede the quote character by an escape character (“\”).
A “'” inside a string quoted with “"” needs no special treatment and need not be doubled or escaped. In the same way, “"” inside a string quoted with “'” needs no special treatment.
But the right answer is that you should look for a way that java make this for you. Somethink like real_escape php function. See : http://docs.oracle.com/javase/1.4.2/docs/api/java/sql/PreparedStatement.html
The recommended approach is mostly use prepared statements. You may refer to below link
http://lists.mysql.com/java/5469
Also replacing all occurrences manually may have strange results. For this please refer to below blog explantion.
http://www.bartbusschots.ie/blog/?p=141
Related
i'm working on a SQL procedure where i came across a Regular expression which contains this piece -
REGEXP '\\s*count\\s*\\('
i do not understand why there are two backslash ? what can be inferred from this code.
Backslash is processed at multiple levels.
It's the escape prefix in regular expressions: it makes special characters like . and ( be treated literally, and is used to created escape sequences like \s (which means any whitespace character).
But it's also the escape prefix in string literals, used for things like \n (newline) and \b (backspace). So in order for the regular expression character to get a literal backslash, you need to escape the backslash itself.
This is common in many programming languages, although a few have "raw string literals" where escape sequences are not processed, specifically to avoid having to double the slashes so much.
I need to insert a special character in the html file translation.
The character is a space, need it to try to solve another problem.
But it is not working. The code for that character is displayed in the subject of the email.
For this I insert these lines:
pt.yml
subjects:
...
release_auto_pause_triggered_html: "%{project_name} %{release_name} - pausa automática disparada"
release_mailer.rb
subject = t('subjects.release_auto_pause_triggered_html', project_name: #project.name, release_name: #release.name).html_safe
But the subject of the email sent is as follows: pausa automática disparada
The "'" I added just to make this post, but it would not give to see here.
I need to look like this: "pausa automática disparada"
Where am I going wrong?
I think I manage to do it. Try this "pausa automática\xA0disparada"
Source:
Using single-quoted scalars, you may express any value that does not contain special characters. No escaping occurs for single quoted scalars except that a pair of adjacent quotes '' is replaced with a lone single quote '.
Double-quoted is the most powerful style and the only style that can express any scalar value. Double-quoted scalars allow escaping. Using escaping sequences \x** and \u**, you may express any ASCII or Unicode character.
And here I found the necessary code
My output is:
# YML
title: "Title \xA0 aaa"
# console
I18n.t('title')
=> "Title aaa"
It should work this way. Try to check for typos.
In your example
"pausa automática ';disparada""
there is extra ' between   and ;.
When i am reading some text from an Xml and putting it to the database i am getting a error if the text contains '(apostrophe) . How to overcome this problem while i am inserting into the DB.
Where ever the apostrophe is add a \ (backslash) before it. Using your text editor to do a find and replace all for ' to \' should work. BE CAREFUL not to mess up the XML structure.
ex.
John's
Needs to be
John\'s
You can also use PHP or C# to escape it for you also.
Here is the PHP function.
You should always escape you input data with whatever language-specific methodology you have for doing so. For MySQL the escape character is \. Another alternative is to use prepared statements with parametrized inputs. This would eliminate the need to escape the single apostrophe.
My guess is that you also have a significant SQL injection vulnerability with the way you are doing things. If you are not even escaping your input values or using parametrized prepared statements, then one could easily inject malicious code into the XML.
I don't know what language or method you're using for your import. Typically it's the backslash character, \ . So you would need to replace 's with \'. Make sense?
From 9.1.1 String Literals in the MySQL reference:
There are several ways to include quote characters within a string:
A “'” inside a string quoted with “'” may be written as “''”.
A “"” inside a string quoted with “"” may be written as “""”.
Precede the quote character by an escape character (“\”).
A “'” inside a string quoted with “"” needs no special treatment and need not be doubled or escaped. In the same way, “"” inside a string quoted with “'” needs no special treatment.
Thus, the given string foo'bar can be written in MySQL1:
'foo''bar'
'foo\'bar'
"foo'bar"
While the above addresses the primary question, use placeholders (aka prepared statements) - look up the correct method per language/adapter. Placeholders eliminate the need to quote (which prevents mistakes introduced by custom logic) and prevent against many cases of malicious SQL injection.
1 The syntax chosen by MySQL differs from other common SQL implementations; this syntax is not universal.
I have two databases. One has apostrophe in names like O'Bannon and one does not. I need to merge them and find the duplicates. Since it's harder to add the apostrophes I'm tring to remove them instead
But this...
UPDATE Client
SET Last_Name = REPLACE(''','')
Clearly won't work. How does one escape the '.
I'm using Xojo (not PHP)
Like you say, you'll want to escape quote characters.
See this documentation on string literals:
There are several ways to include quote characters within a string:
A “'” inside a string quoted with “'” may be written as “''”.
A “"” inside a string quoted with “"” may be written as “""”.
Precede the quote character by an escape character (“\”).
A “'” inside a string quoted with “"” needs no special treatment and need not be doubled or escaped. In the same way, “"” inside a string quoted with “'” needs no special treatment.
Depending on how you're dealing with the SQL, though, you may need to do more than that. If the application is escaping the quote character, and passing that to a stored procedure call, you may run into the same issue if you are not using parameter binding with prepared statements. This is due to MySQL removing the escape character upon processing the inputs of the SP. Then the unsantized character makes its way to the query construction and the problem repeats itself if it should be escaped there. In this case, you'll want to switch to parameter binding, so that the escaping and query construction is out of your hands.
Here we go:
UPDATE Client SET Last_Name = REPLACE(Last_Name, '\'', '');
You just need to escape apostrophe will backslash .
Simply add an escape character(\) in front of the quote:
SET Last_Name = REPLACE('\'','')
Still I don't think this is the right way to go as you will lose the information for the original name of the person and so o'reily and oreily will seem to be the same surname to you.
From 9.1.1 String Literals
Table 9.1. Special Character Escape Sequences
Escape Sequence Character Represented by Sequence
\0 An ASCII NUL (0x00) character.
\' A single quote (“'”) character.
\" A double quote (“"”) character.
\b A backspace character.
\n A newline (linefeed) character.
\r A carriage return character.
\t A tab character.
\Z ASCII 26 (Control+Z). See note following the table.
\\ A backslash (“\”) character.
\% A “%” character. See note following the table.
\_ A “_” character. See note following the table.
Of course if ANSI_MODE is not enabled you could use double quotes
If in case you are just looking to select, i.e., to match a field with data containing apostrophe.
SELECT PhraseId FROM Phrase WHERE Text = REPLACE("don't", "\'", "''")
What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others?(I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string in PHP are not valid)
mysql_real_escape_string() from mysql.com docs:
The string in from is encoded to an escaped SQL string, taking into account the current character set of the connection. The result is placed in to and a terminating null byte is appended. Characters encoded are NUL (ASCII 0), “\n”, “\r”, “\”, “'”, “"”, and Control-Z (see Section 8.1, “Literal Values”). (Strictly speaking, MySQL requires only that backslash and the quote character used to quote the string in the query be escaped. This function quotes the other characters to make them easier to read in log files.)
mysql_real_escape_string() is character set aware, so replicating all its abilities (especially against multi-byte attack issues) is not a small amount of work.
From http://cognifty.com/blog.entry/id=6/addslashes_dont_call_it_a_comeback.html:
AS = addslashes()
MRES = mysql_real_escape_string()
ACS = addcslashes() //called with "\\\000\n\r'\"\032%_"
Feature AS MRES ACS
escapes quote, double quote, and backslash yes yes yes
escapes LIKE modifiers: underscore, percent no no yes
escapes with single quotes instead of backslash no yes*1 no
character-set aware no yes*2 no
prevents multi-byte attacks no yes*3 no
What languages do you need to support? It is much better to use a language's built-in sanitization than to write your own.
Edit: Looking at mysql_real_escape_string on php.net:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.