Post reply

Update column containing a quote

  • December 13, 2006 at 1:12 pm

    #174054

    How can I update a column w/ a QUOTE in the persons name?

    UPDATE

    Customers SET Last_Name = 'O'CONNOR' WHERE Cust_ID =  'A34778'

     

    BT

  • December 13, 2006 at 1:18 pm

    #677890

     Double the quotes (2 single quotes >> 2 characters) :

    UPDATE Customers SET Last_Name = 'O''CONNOR' WHERE Cust_ID =  'A34778'

  • December 13, 2006 at 1:20 pm

    #677891

    Also the use of a stored proc would completely void the need for this :

     

    CREATE PROCEDURE dbo.Demo @LastName AS VARCHAR(30), @CustID AS VARCHAR(10)

    AS

    SET NOCOUNT ON

    UPDATE dbo.Customers SET Last_name = @MyParam WHERE Cust_ID = @CustID

    SET NOCOUNT OFF

    GO

  • December 13, 2006 at 1:43 pm

    #677898

    I'll second Ninja's suggestion of using a stored proc. Building applications that build sql string from data (any data) introduces a very significant security flaw.

    Some examples:

    User input expects username/password user enters admin'-- for username nothing for password

    SELECT * from accounts where username = 'admin'--' and Password = ''

    Just doublequoting everythign won't work to protect you either (especially in a weak-typed language like vbscript asp)

    User input expects a number, user enters 5;TRUNCATE TABLE MyReallyImportantData --

    SELECT * FROM groupData WHERE group = 5;TRUNCATE TABLE MyReallyImportantData -- and session = 32

    SQL guy and Houston Magician

  • December 13, 2006 at 1:46 pm

    #677900

    More on this here :

    http://www.sommarskog.se/dynamic_sql.html

    http://www.sommarskog.se/dyn-search.html

    http://www.sommarskog.se/arrays-in-sql.html

  • December 14, 2006 at 7:02 am

    #678064

    UPDATE Customers SET Last_Name REPLACE(@LastName,'''','''''') WHERE Cust_ID =  'A34778'

    Do heed the other's warnings about SQL Injection attacks...

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • December 14, 2006 at 7:11 am

    #678068

    Since when do we need to use replace on parameters when not using dynamic sql?

     

    And how would the param be set in the first place?

  • December 14, 2006 at 7:40 am

    #678074

    SET QUOTED_IDENTIFIER OFF

    SELECT "Now ' you can use '' quotes ' in your '' strings"  

    SET QUOTED_IDENTIFIER ON

     

     

  • December 14, 2006 at 7:44 am

    #678075

    Why change that setting when you don't have too???

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply

Cookies on SQLServerCentral

This website stores cookies on your computer.

These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.

To find out more about the cookies we use, see our Privacy Policy