My SQLite query :
let data = db.getAllRows(sql"""
SELECT name, source, uploaded_at, canonical_url, size
FROM table
WHERE name like ?
ORDER BY ? DESC
LIMIT ?
OFFSET ?
""", &"%{query}%", order, limit, offset)
Nim adds single quotes to any string replacing ?. I can manually build the SQL string and then use sql(string), but the input then isn't escaped. Is there some other token apart from ? that does not add '?
To answer your title question: "How to safely add a raw string to a query", you can use dbQuote:
import db_sqlite
let
a = "unes'caped %' string"
b = "my prefix ->"
c = "<- my suffix"
d = b & dbQuote(a) & c
echo d
This will print my prefix ->'unes''caped %'' string'<- my suffix, adding quotes before/after and escaping any ones inside. This string is presumably safe to pass as an sql statement. You should get the same result as if you had used ? with extra parameters.
Related
I have a column named "tel". This column has some records that start with (for example) "0511" and I want to change it "0513". What is proper query?
You can use replace function
UPDATE table SET tel= replace( tel, '0511', '0513' ) WHERE tel LIKE '0511%';
Check the SQLite core functions here
EDIT
In case you have a match after the first 4 digits of your tel number.
For example 051121505113
UPDATE table SET tel= replace(substr(tel,1,5), '0511', '0513' )||substr(tel,5)
WHERE tel LIKE '0511%';
UPDATE table
SET tel = REPLACE(tell, '0511', '0513')
WHERE tel like '%0511%'
In case there's a risk that '0511' exists within the rest if the string you can make sure to only replace 0511 at the start of the string like this:
UPDATE [table]
SET [tel] = CASE WHEN
instr([tel], '0511') = 1 THEN
'0513' || substr([tel], 4)
ELSE
[tel]
END
WHERE [tel] LIKE '0511%';
while inserting i can insert danish character in proper format in sqlite Db but while retrieving my query returns no result
String searchQuery= "SELECT * FROM article,product where article.ItemNo=product.ItemNo ";
if(searchText.length()>0)
{
searchQuery += " AND (article.itemNo like '"+ searchText +"%' OR product.Description like '"+ searchText +"%')";
}
in debug mode query is
`SELECT * FROM article,product where article.ItemNo=product.ItemNo AND (article.itemNo like '%ø%' OR product.Description like '%ø%')..`
No result returns
Proper query will be
SELECT * FROM article,product where article.ItemNo=product.ItemNo AND (article.itemNo like '%Ø%' OR product.Description like '%Ø%');
the desired description field value in Db is MØNTPUNG.
I am wondering is there any issue of case sensitivty?I am using UTF8 encoding for my raw file that will insert data to DB.
The documentation says:
SQLite only understands upper/lower case for ASCII characters by default. The LIKE operator is case sensitive by default for unicode characters that are beyond the ASCII range. For example, the expression 'a' LIKE 'A' is TRUE but 'æ' LIKE 'Æ' is FALSE.
To handle non-ASCII characters correctly, store an uppercase version of your string(s) in a separate column, and search in that with an uppercase search pattern.
I have an SQL statement I run for my website that inserts data into an access database. Is there a way during the insert to replace a space " " if one of the date textboxes contains a space? I need to do this because it throws off my date queries if there is a space in one of the columns?
INSERT INTO tblOpen (DateColumn1, DateColumn2) Values (#Value1, #Value2)
You should use the 'datetime' type for your DateColumn. It solves all your problem. It is good to use proper variable for proper field.
If you mean heading and trailing spaces, then:
myString = myString.Trim()
in your vb.net code will be fine. Even though I would follow Steve's suggestion and converting to date.
As question was about replace, you can either use Replace()
INSERT INTO tblOpen (DateColumn1, DateColumn2)
Values (REPLACE(#Value1, ' ', ''), #Value2)
or LTrim() and RTrim()
INSERT INTO tblOpen (DateColumn1, DateColumn2)
Values (LTRIM(RTRIM(#Value1)), #Value2)
However if datatype is a datetime then it makes sense to convert to that type using
DateTime d = Convert.ToDateTime(TextBox1.Text);
SqlParameter p = command.Parameters.Add("#Value1", System.Data.SqlDbType.DateTime);
p.Value = d;
I have a Sqllite query
SELECT * FROM m_table WHERE LOWER(fName) = LOWER('yui!"'':;/?') AND account = '100' ORDER BY fName COLLATE NOCASE ASC ;
Above returns 0 rows; But when I use the same as below , it Works
update m_table set fName = 'yui!"'':;/? renamed' where fname='yui!"'':;/?' AND account = '100';
Any clues ?
PS: I am using LOWER to ignore case sensitive. I am using this via an android client. Hence
I am also doing StringEscapeUtils.escapeSql("folderName")
This is most likely related to the fact, that your input string contains characters in a non-ASCII-charset. from the documentation of SQLlite:
lower(X) -- The lower(X) function returns a copy of string X with all
ASCII characters converted to lower case. The default built-in lower()
function works for ASCII characters only. To do case conversions on
non-ASCII characters, load the ICU extension.
http://www.sqlite.org/lang_corefunc.html
Try to run the following statement and see what it returns.
SELECT LOWER(fName) FROM m_table WHERE fname='yui!"'':;/?' AND account = '100';
I wrote the database schema (only one table so far), and the INSERT statements for that table in one file. Then I created the database as follows:
$ sqlite3 newdatabase.db
SQLite version 3.4.0
Enter ".help" for instructions
sqlite> .read ./schema.sql
SQL error near line 16: near "s": syntax error
Line 16 of my file looks something like this:
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there\'s');
The problem is the escape character for a single quote. I also tried double escaping the single quote (using \\\' instead of \'), but that didn't work either. What am I doing wrong?
Try doubling up the single quotes (many databases expect it that way), so it would be :
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there''s');
Relevant quote from the documentation:
A string constant is formed by enclosing the string in single quotes ('). A single quote within the string can be encoded by putting two single quotes in a row - as in Pascal. C-style escapes using the backslash character are not supported because they are not standard SQL. BLOB literals are string literals containing hexadecimal data and preceded by a single "x" or "X" character. ... A literal value can also be the token "NULL".
I believe you'd want to escape by doubling the single quote:
INSERT INTO table_name (field1, field2) VALUES (123, 'Hello there''s');
for replace all (') in your string, use
.replace(/\'/g,"''")
example:
sample = "St. Mary's and St. John's";
escapedSample = sample.replace(/\'/g,"''")
Just in case if you have a loop or a json string that need to insert in the database. Try to replace the string with a single quote . here is my solution. example if you have a string that contain's a single quote.
String mystring = "Sample's";
String myfinalstring = mystring.replace("'","''");
String query = "INSERT INTO "+table name+" ("+field1+") values ('"+myfinalstring+"')";
this works for me in c# and java
In C# you can use the following to replace the single quote with a double quote:
string sample = "St. Mary's";
string escapedSample = sample.Replace("'", "''");
And the output will be:
"St. Mary''s"
And, if you are working with Sqlite directly; you can work with object instead of string and catch special things like DBNull:
private static string MySqlEscape(Object usString)
{
if (usString is DBNull)
{
return "";
}
string sample = Convert.ToString(usString);
return sample.Replace("'", "''");
}
In bash scripts, I found that escaping double quotes around the value was necessary for values that could be null or contained characters that require escaping (like hyphens).
In this example, columnA's value could be null or contain hyphens.:
sqlite3 $db_name "insert into foo values (\"$columnA\", $columnB)";
Demonstration of single quoted string behavior where complexity or double quotes are not desired.
Test:
SELECT replace('SAMY''S','''''','''');
Output:
SAMY'S
SQLite version:
SELECT sqlite_version();
Output:
3.36.0