|
Hello!
I am developing a .NET 2.0 solution (C#) using ADO.NET
I have a question regarding the escape sequences in SQL. Consider the following query
SELECT * FROM ClauseTranslations WHERE Clause LIKE 'trainee's cost'
Now when executed, this query generates an exception. Very well. The problem with with the
single quote symbol. so what I do, I write like this:
SELECT * FROM ClauseTranslations WHERE Clause LIKE 'trainee\'s cost'
But this still gives error... What the way out?
Regards,
Mohsin
Polite Programmer
More Object Oriented then C#
|
|
|
|
|
replace with
-SELECT * FROM ClauseTranslations WHERE Clause LIKE 'trainee''s cost'
the error occured because of 's
so,u better replace ''s instead of 's
|
|
|
|
|
when executing a query from c# application it is better to use parametrized query and there won't be any problems with escape characters.
|
|
|
|
|
|
Hi Mohsin,
I don't think SQL syntax supports escape characters like that. To use an embedded single quote in a query like your example, you put two single quotes in the string:
SELECT * FROM ClauseTranslations WHERE Clause LIKE 'trainee''s cost'
Ron
|
|
|
|
|
That way SQL Injection Attacks lie....
Rather than escape characters, use parameterised queries.
|
|
|
|
|
Good advice, but it doesn't answer his question.
*If* he is accepting user input to build the query, then SQL Injection attacks are an issue.
If the entire query as written is part of his internal code, there is no danger.
Ron
|
|
|
|
|
Ron Savage wrote: If the entire query as written is part of his internal code, there is no danger.
That's untrue.
There is the possibility of a Second Order Attack. This is where supposedly clensed data that is already sitting in the database can be used to form an attack. All the data used is internal to the system at the time the SQL is formed, but the threat is just as real.
|
|
|
|
|
Colin Angus Mackay wrote: There is the possibility of a Second Order Attack. This is where supposedly clensed data that is already sitting in the database can be used to form an attack. All the data used is internal to the system at the time the SQL is formed, but the threat is just as real.
Another excellent bit of advice, yet again completely outside the context of the discussion.
Neither the original question nor my response involved building a query from any external data. Without the inclusion of external text that may at some point have been entered by an end user of the program - SQL Injection attacks are not an issue.
Ron
|
|
|
|
|
Ron Savage wrote: Another excellent bit of advice, yet again completely outside the context of the discussion.
Is it?!
Ron Savage wrote: Neither the original question nor my response involved building a query from any external data.
Who's to say where the data came from? The OP certainly didn't. So any discussion on the matter is pure speculation without a definitive answer from the OP. As such, it becomes important that the issue of SQL Injection is raised... just in case.
Ron Savage wrote: Without the inclusion of external text that may at some point have been entered by an end user of the program - SQL Injection attacks are not an issue.
Hardcoding fully formed SQL statements into one's program is hardly common. The more common scenario is that the statement contains some variable data. As such, in case the OP is giving a simplified example (which is common) it "yet again" becomes important to raise the issue of SQL Injection Attacks.
|
|
|
|
|
How we can store the backup in SQL ?
Pramod
|
|
|
|
|
pramodprakash2005 wrote: How we can store the backup in SQL ?
I don't understand your question
Do you want to store the back up of your SQL Server database somewhere?
Do you want to store the back up of something else in SQL Server?
|
|
|
|
|
Hi guy, I've heard of many different ways of connecting to database like config file, text file and ... I'd like to know which of them all is the best and safest !
TX
Mr.K
|
|
|
|
|
It depends on the situation.
I generally put the connection string in the config file - And I use a trusted connection, so the user name and password are not exposed.
|
|
|
|
|
Could you give me a sample by any chance ?
|
|
|
|
|
mrkeivan wrote: Could you give me a sample by any chance ?
Of what? Putting a connection string in the application's configuration file? That is a very basic thing and is covered in any basic introduction to the .NET Framework.
|
|
|
|
|
|
Hi All
I want ask you how can i use tree wiew in VB.NET to brows for folders
in specific drive(c:\,d:\,.....)
i want to view all files and i want to open them when them clicked
(i want VB.NET code to implemnt this problem in other words my problem seem like Tree of folders in windows when we select folder all it's content are open beside it and we can select any file by click on it)
|
|
|
|
|
Table 1
-------
col1 col2
------------
1 1
1 2
Table 2
---------
col1 col3
-----------
1 a
1 b
1 c
1 d
Please help me out in building a query which gives the following output:
col1 col2 col3
-----------------
1 1 a
1 2 b
1 NULL c
1 NULL d
Thank u
|
|
|
|
|
SELECT T2.col1, T1.Col2, T2.Col3
FROM T1
RIGHT OUTER JOIN T2 ON T1.Col1 = T2.Col1
|
|
|
|
|
I appreciate ur help. But sorry Colin Angus Mackay it doesnt give the format i wanted,I already tried out all the joins.
|
|
|
|
|
Hi Raj,
select
t2.col1,
t1.col2,
t2.col3
from
tab2 t2
LEFT OUTER JOIN tab1 t1
ON ( t1.col2 = ascii(t2.col3) - 96 )
Results:
col1 col2 col3
----------- ----------- ----
1 1 a
1 2 b
1 NULL c
1 NULL d
Pretty silly way to join data though, I hope it was part of a "puzzle" question and not a serious solution.
Ron
|
|
|
|
|
Hi i want to show total number of months between two dates,
ex:
i shown date in (mm/dd/yyyy)format
Startdate enddate
03/02/2007 06/02/2008
want to show 11 months like how to do this,
plz anyone hlp me...,
-- modified at 6:02 Saturday 26th May, 2007
Magi
|
|
|
|
|
select datediff(Month,'01/01/2000','01/01/2001')
|
|
|
|
|
thank lot,
keep in touch...,
Magi
|
|
|
|