Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««1234

Single Quotation Marks in SQL Expand / Collapse
Author
Message
Posted Friday, January 04, 2013 10:19 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Yesterday @ 6:35 AM
Points: 1,251, Visits: 1,596
Steven Willis (1/4/2013)


For anyone who really cares about proper typography The Chicago Manual of Style is the editor's Bible.

 


Oh. I thought the Chicago Manual of Style was about pinstripes and fedoras. Thanks for clearing that up!
Post #1402993
Posted Friday, January 04, 2013 10:36 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Sunday, September 29, 2013 1:24 AM
Points: 429, Visits: 1,721
sknox (1/4/2013)
Steven Willis (1/4/2013)


For anyone who really cares about proper typography The Chicago Manual of Style is the editor's Bible.

 


Oh. I thought the Chicago Manual of Style was about pinstripes and fedoras. Thanks for clearing that up!

Maybe you were confused like Bela Oxmyx... A Piece of the Action.

 
Post #1403004
Posted Sunday, January 06, 2013 6:33 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Today @ 4:12 PM
Points: 288, Visits: 1,408
Nice article and a classic subject.
One workaround is to use tokens when writing dynamic SQL statements, especially if nested more than one level;

DECLARE @TOKEN  NVARCHAR(1)  =  NCHAR(123)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N'
DECLARE @TOKEN NVARCHAR(1) = NCHAR(124)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N{

DECLARE @TOKEN NVARCHAR(1) = NCHAR(125)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N|

DECLARE @TOKEN NVARCHAR(1) = NCHAR(126)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N}

DECLARE @quotedvar nvarchar(100) = N~O¡Neil~
SELECT @quotedvar = REPLACE(@quotedvar,NCHAR(161),NCHAR(39))
PRINT @quotedvar
}
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR

|
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR

{
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR
'
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR


Execution result;
0

DECLARE @TOKEN NVARCHAR(1) = NCHAR(124)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N'

DECLARE @TOKEN NVARCHAR(1) = NCHAR(125)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N|

DECLARE @TOKEN NVARCHAR(1) = NCHAR(126)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N}

DECLARE @quotedvar nvarchar(100) = N~O¡Neil~
SELECT @quotedvar = REPLACE(@quotedvar,NCHAR(161),NCHAR(39))
PRINT @quotedvar
}
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR

|
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR

'
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR
2


DECLARE @TOKEN NVARCHAR(1) = NCHAR(125)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N'

DECLARE @TOKEN NVARCHAR(1) = NCHAR(126)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N}

DECLARE @quotedvar nvarchar(100) = N~O¡Neil~
SELECT @quotedvar = REPLACE(@quotedvar,NCHAR(161),NCHAR(39))
PRINT @quotedvar
}
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR

'
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR


4


DECLARE @TOKEN NVARCHAR(1) = NCHAR(126)
DECLARE @SQ NVARCHAR(1) = NCHAR(39)
DECLARE @SQLSTR NVARCHAR(MAX) = N'

DECLARE @quotedvar nvarchar(100) = N~O¡Neil~
SELECT @quotedvar = REPLACE(@quotedvar,NCHAR(161),NCHAR(39))
PRINT @quotedvar
'
PRINT @@NESTLEVEL
SELECT @SQLSTR = REPLACE(@SQLSTR,@TOKEN,@SQ)
PRINT @SQLSTR
EXEC sp_executesql @SQLSTR


6


DECLARE @quotedvar nvarchar(100) = N'O¡Neil'
SELECT @quotedvar = REPLACE(@quotedvar,NCHAR(161),NCHAR(39))
PRINT @quotedvar

O'Neil



Eirikur
Post #1403328
Posted Sunday, January 06, 2013 2:22 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Sunday, September 29, 2013 1:24 AM
Points: 429, Visits: 1,721
Eirikur Eiriksson (1/6/2013)
One workaround is to use tokens when writing dynamic SQL statements, especially if nested more than one level;

That sounds like a great idea. I've never seen the problem dealt with like that before. Thumbs up!

 
Post #1403355
Posted Monday, January 07, 2013 11:46 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Today @ 10:00 AM
Points: 147, Visits: 499
Since our apps are primarily web pages we step around the problem by converting the problem characters to unicode. The single quote character is converted to "'". It no longer is in the way, there is no special coding necessary and it displays properly in a browser.
Post #1403986
Posted Sunday, January 13, 2013 3:16 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, April 17, 2014 5:52 PM
Points: 11, Visits: 81
IMHO dynamic SQL outside of database is a recepie for a disaster.
Anybody hear about SQL injection in last 15+ years?
Why not use parameterised stored procedures/user-defined functions.

I would use dynamic SQL only for Sql script generation or
Within stored procedure (in exceptional cases when nothing
Else could work).
Post #1406517
Posted Sunday, January 13, 2013 4:10 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, April 21, 2014 1:05 PM
Points: 3,436, Visits: 1,684
I would tend to agree. Dynamic SQL is a very powerful tool. But it's just one tool of many and should only be used when it's appropriate and with appropriate attention paid to security. For that matter combining parameters and dynamic sql can be particularly powerful.


Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Post #1406526
Posted Sunday, January 13, 2013 4:18 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, April 21, 2014 1:05 PM
Points: 3,436, Visits: 1,684
Sorry I'm a little bit late posting my answer to the "homework". Lot's of people had posted correct answers already so I didn't feel all that rushed to post my answer .

DECLARE @topsql nvarchar(200)

SET @topsql =
'DECLARE @quotedvar nvarchar(100) ' + char(13) +
'DECLARE @sql nvarchar(1000) ' + char(13) +
'' + char(13) +
'SET @quotedvar = ''O''''Neil''' + char(13) +
'' + char(13) +
'SET @sql = ''PRINT '''''' + REPLACE(@quotedvar,'''''''','''''''''''') + ''''''''' + char(13) +
'' + char(13) +
'PRINT @sql' + char(13) +
'' + char(13) +
'EXEC sp_executesql @sql'

PRINT @topsql
PRINT '-------'

EXEC sp_executesql @topsql


The best test for the correct answer is of course to run it and see if the output works :)


Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Post #1406528
« Prev Topic | Next Topic »

Add to briefcase «««1234

Permissions Expand / Collapse