tags:

views:

686

answers:

7
+6  Q: 

How do I deal with quotes ' in SQL

I have a database with names in it such as John Doe etc. Unfortunately some of these names contain quotes like Keiran O'Keefe. Now when I try and search for such names as follows: SELECT * FROM PEOPLE WHERE SURNAME='O'Keefe' I (understandably) get an error.

How do I prevent this error from occurring. I am using Oracle and PLSQL.

A: 

Found in under 30s on Google...

Oracle SQL FAQ

Rob Cooper  2008-08-27 08:03:07
A: 

Input filtering is usually done on the language level rather than database layers.
php and .NET both have their respective libraries for escaping sql statements. Check your language, see waht's available.
If your data are trustable, then you can just do a string replace to add another ' infront of the ' to escape it. Usually that is enough if there isn't any risks that the input is malicious.

paan  2008-08-27 08:05:05
A: 

I suppose a good question is what language are you using?
In PHP you would do: SELECT * FROM PEOPLE WHERE SURNAME='mysql_escape_string(O'Keefe)'
But since you didn't specify the language I will suggest that you look into a escape string function mysql or otherwise in your language.

Unkwntech  2008-08-27 08:05:29
+14  A: 
Matt Sheppard  2008-08-27 08:17:56
+1 for recommending bind variables. If you use bind variables annoying things like this don't ever happen, and your queries are better, and you aren't open to SQL injection attacks.
Chris Gill  2009-08-27 12:57:58
+1  A: 

Parameterized queries are your friend, as suggested by Matt. 

Command = SELECT * FROM PEOPLE WHERE SURNAME=?

They will protect you from headaches involved with

  • Strings with quotes
  • Querying using dates
  • SQL Injection
Conrad  2008-08-27 14:38:41
+1  A: 

Use of parameterized SQL has other benefits, it reduces CPU overhead (as well as other resources) in Oracle by reducing the amount of work Oracle requires in order to parse the statement. If you do not use parameters (we call them bind variables in Oracle) then "select * from foo where bar='cat'" and "select * from foo where bar='dog'" are treated as separate statements, where as "select * from foo where bar=:b1" is the same statement, meaning things like syntax, validity of objects that are referenced etc...do not need to be checked again. There are occasional problems that arise when using bind variables which usually manifests itself in not getting the most efficient SQL execution plan but there are workarounds for this and these problems really depend on the predicates you are using, indexing and data skew.

Ethan Post  2008-09-04 16:03:56
+1  A: 

Oracle 10 solution is

SELECT * FROM PEOPLE WHERE SURNAME=q'{O'Keefe}'
Laurent Schneider  2008-09-17 15:09:44

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP