We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Solved
Dealing with Apostrophe's and Pipe symbols
Posted on 1998-11-04
All,
I need someone's help with dealing with apostrophe's and pipe symbol's. I am trying to insert text from a HTML FORM to a SQL statement using the UPDATE and INSERT methods. My issue is whenever one of these symbols get put into the SQL statement in my ASP file, it chokes!!
I understand that you need to get a double '' say to keep the quote within a literal but I can't figure how to get this done. I have read to try and use the Replace but it does not work for me. I was also advised to build a function that would search for a ' and replace it with '' before the INSERT or UPDATE.
The fact is that I don't know how to do it! Can anyone provide me with some code and explanation on how to resolve this issue....
Thanks
Mike
I need someone's help with dealing with apostrophe's and pipe symbol's. I am trying to insert text from a HTML FORM to a SQL statement using the UPDATE and INSERT methods. My issue is whenever one of these symbols get put into the SQL statement in my ASP file, it chokes!!
I understand that you need to get a double '' say to keep the quote within a literal but I can't figure how to get this done. I have read to try and use the Replace but it does not work for me. I was also advised to build a function that would search for a ' and replace it with '' before the INSERT or UPDATE.
The fact is that I don't know how to do it! Can anyone provide me with some code and explanation on how to resolve this issue....
Thanks
Mike
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
-
3
-
2
- +1
9 Comments
Here is a function that replaces each apostrophe "'" with a pair of apostrophe "'" characters. It is in C++, but you didn't say what you needed...
void DoubleUp ( CString& text )
{
CString orig = text;
text = "";
for ( int i = 0; i < orig.GetLength(); i++ )
{
text += orig.GetAt(i);
if ( orig.GetAt(i) == '\'' )
text += orig.GetAt(i);
}
return;
}
NOTE: Two apostrophes ('') are not the same as a double quote(").
void DoubleUp ( CString& text )
{
CString orig = text;
text = "";
for ( int i = 0; i < orig.GetLength(); i++ )
{
text += orig.GetAt(i);
if ( orig.GetAt(i) == '\'' )
text += orig.GetAt(i);
}
return;
}
NOTE: Two apostrophes ('') are not the same as a double quote(").
TheGrinch,
I need to include this in a Active Server Page so I would assume that it will need to be written in VBScript. Can you still help me?
I need to include this in a Active Server Page so I would assume that it will need to be written in VBScript. Can you still help me?
No, sorry. Maybe you could follow the pattern of my example and do something yourself? Or maybe someone else can help.
TheGrinch,
I need to include this in a Active Server Page so I would assume that it will need to be written in VBScript. Can you still help me?
I need to include this in a Active Server Page so I would assume that it will need to be written in VBScript. Can you still help me?
BUG #: 17353 (sqlbug_65)
SYMPTOMS
========
When you insert a character through an ODBC data source with either OEM-to-
ANSI translation enabled or a code page translation set, some characters
are translated to an apostrophe (ANSI 39). When the Generate Stored
Procedures option is disabled and a parameter is passed containing these
translated characters, SQL Server returns an error 105:
Unclosed quote before the character string ')'.
NOTE: The apostrophe is also referred to as a single quotation mark or
single quote character.
CAUSE
=====
If a single quotation mark is passed in the parameter, this is replaced
by two single quotation marks and the insert executes correctly.
All of the following conditions must be met:
- The Generate Stored Procedure for Prepared Statement option must be
disabled for the data source.
-and-
- OEM-to-ANSI conversion must be enabled or a code page translator
selected for the data source.
-and-
- The client application prepares the statement with parameter markers.
-and-
- One of the parameters contains a string which includes an extended
character which in the translation enabled for the data source is
converted to the single quotation mark (ANSI 39).
When a Transact-SQL statement is sent to the server, the string type
parameters are delimited by single quotation marks, and the translated
single quotation mark character in the parameter makes the statement
ambiguous.
WORKAROUND
==========
Use any of the following methods to work around the problem:
- Enable Generate Stored Procedure for Prepared Statement. The stored
procedure is created and the parameters to the stored procedure are
passed delimited by double quotation marks so that the problem does
not occur.
-or-
- Disable translation if you don't need this feature. The character is
not translated and will be stored in the server code page as the
relevant character.
-or-
- In the client application, parse the parameters before binding them to
the prepared statement and make appropriate substitutions for characters
which are causing the problem. Substituting the single quotation mark
before binding the parameter works as this will be replaced by two
single quotation marks before being passed to SQL Server.
STATUS
======
Microsoft has confirmed this to be a problem in Microsoft SQL Server
version 6.5. We are researching this problem and will post new information
here in the Microsoft Knowledge Base as it becomes available.
I have seen this but am looking for a someone to give me some code for the workaround in VBScript. Thanks for your input!
Have you seen this?
When building concatenated SQL statements, you can run into the following
problems based on incorporating user-typed text into the SQL statement:
User Types the Delimiter Character
--------------------------
If the user types the same character you use to delimit the text field,
such as:
LName contains: O'Brien
SQL = "SELECT * FROM Employees WHERE LastName='" & LName & "'"
SQL now contains:
SELECT * FROM Employees WHERE LastName='O'Brien'
this can result in the following error messages when you execute the SQL
statement:
Run-time error 3075
Syntax error in query expression '...'
One solution is to replace the apostrophe delimiter with quotes ("), such
as:
SQL = "SELECT * FROM Employees WHERE LastName=""" & LName & """"
However, the user could easily type O"Brien by mistake (forgetting to
release the SHIFT key when typing the apostrophe) and the problem
reappears. In addition, SQL Server uses " to delimit table and field names.
If the user-supplied value exceeds the maximum length of an identifier
name, SQL Server will return a syntax error.
The solution is to replace the apostrophe in the variable with two
apostrophes so that SQL contains:
SELECT * FROM Employees WHERE LastName='O''Brien'
User Types the Pipe Symbol
--------------------------
If the user types the pipe symbol (|), such as:
Password contains: A2|45
SQL = "SELECT * FROM SecurityLevel WHERE UID='" & UserID & "'"
SQL = SQL & " AND PWD='" & Password & "'"
SQL now contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2|45'
and you are querying a Jet database, it can cause either the "Syntax Error"
given above or the following error:
Run-time error 3061
Too few parameters. Expected n.
The pipe symbol causes problems because Jet uses pipe symbols to delimit
field or parameter names embedded in a literal string, such as:
SELECT "|LastName|, |FirstName|" FROM Employees
This was considered easier for beginner users to learn than concatenation
when building ad hoc queries through the Access Query designer. However,
when used inadvertently in building a SQL statement, it can result in an
error.
The solution is to replace the pipe symbol with a concatenated expression
so that SQL contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2' & chr(124) & '45'
Implementing the Solution
-------------------------
The solution to both these problems can be addressed via substring
replacement. The sample functions, ReplaceStr, SQLFixup and JetSQLFixup,
are provided below to illustrate the technique.
WARNING:
Microsoft provides code examples for illustration only, without warranty
either expressed or implied, including but not limited to the implied
warranties of merchantability and/or fitness for a particular purpose. This
code is provided 'as is' and Microsoft does not guarantee that the
following code can be used in all situations. Microsoft does not support
modifications of the code to suit customer requirements for a particular
purpose.
NOTE: In the following sample code, an underscore (_) at the end of a line
is used as a line-continuation character. For product versions that don't
not support the line-continuation character, remove the underscore and
combine that line with the next lines as a single statement when re-
creating this code.
Function ReplaceStr (TextIn, ByVal SearchStr As String, _
ByVal Replacement As String, _
ByVal CompMode As Integer)
Dim WorkText As String, Pointer As Integer
If IsNull(TextIn) Then
ReplaceStr = Null
Else
WorkText = TextIn
Pointer = InStr(1, WorkText, SearchStr, CompMode)
Do While Pointer > 0
WorkText = Left(WorkText, Pointer - 1) & Replacement & _
Mid(WorkText, Pointer + Len(SearchStr))
Pointer = InStr(Pointer + Len(Replacement), WorkText, _
SearchStr, CompMode)
Loop
ReplaceStr = WorkText
End If
End Function
Function SQLFixup(TextIn)
SQLFixup = ReplaceStr(TextIn, "'", "''", 0)
End Function
Function JetSQLFixup(TextIn)
Dim Temp
Temp = ReplaceStr(TextIn, "'", "''", 0)
SQLFixup = ReplaceStr(Temp, "|", "' & chr(124) & '", 0)
End Function
SQLFixup should be used if your SQL statement is going to be used with Jet
SQL pass-through queries or with ODBCDirect, RDO, or ADO to a non-Jet back-
end database:
LName contains: O'Brien
SQL = "SELECT * FROM Employees WHERE LastName='" & _
SQLFixup(LName) & "'"
SQL now contains:
SELECT * FROM Employees WHERE LastName='O''Brien'
JetSQLFixup should be used if Jet is your database back-end, or if doing a
non-Pass-through query to an ODBC datasource:
UserID cntains: JohnDoe
Password contains: A2|4'5
SQL = "SELECT * FROM SecurityLevel WHERE UID='" & _
JetSQLFixup(UserID) & "' AND PWD='" & JetSQLFixup(Password) & "'"
SQL now contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2' & chr(124) & '4''5'
When building concatenated SQL statements, you can run into the following
problems based on incorporating user-typed text into the SQL statement:
User Types the Delimiter Character
--------------------------
If the user types the same character you use to delimit the text field,
such as:
LName contains: O'Brien
SQL = "SELECT * FROM Employees WHERE LastName='" & LName & "'"
SQL now contains:
SELECT * FROM Employees WHERE LastName='O'Brien'
this can result in the following error messages when you execute the SQL
statement:
Run-time error 3075
Syntax error in query expression '...'
One solution is to replace the apostrophe delimiter with quotes ("), such
as:
SQL = "SELECT * FROM Employees WHERE LastName=""" & LName & """"
However, the user could easily type O"Brien by mistake (forgetting to
release the SHIFT key when typing the apostrophe) and the problem
reappears. In addition, SQL Server uses " to delimit table and field names.
If the user-supplied value exceeds the maximum length of an identifier
name, SQL Server will return a syntax error.
The solution is to replace the apostrophe in the variable with two
apostrophes so that SQL contains:
SELECT * FROM Employees WHERE LastName='O''Brien'
User Types the Pipe Symbol
--------------------------
If the user types the pipe symbol (|), such as:
Password contains: A2|45
SQL = "SELECT * FROM SecurityLevel WHERE UID='" & UserID & "'"
SQL = SQL & " AND PWD='" & Password & "'"
SQL now contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2|45'
and you are querying a Jet database, it can cause either the "Syntax Error"
given above or the following error:
Run-time error 3061
Too few parameters. Expected n.
The pipe symbol causes problems because Jet uses pipe symbols to delimit
field or parameter names embedded in a literal string, such as:
SELECT "|LastName|, |FirstName|" FROM Employees
This was considered easier for beginner users to learn than concatenation
when building ad hoc queries through the Access Query designer. However,
when used inadvertently in building a SQL statement, it can result in an
error.
The solution is to replace the pipe symbol with a concatenated expression
so that SQL contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2' & chr(124) & '45'
Implementing the Solution
-------------------------
The solution to both these problems can be addressed via substring
replacement. The sample functions, ReplaceStr, SQLFixup and JetSQLFixup,
are provided below to illustrate the technique.
WARNING:
Microsoft provides code examples for illustration only, without warranty
either expressed or implied, including but not limited to the implied
warranties of merchantability and/or fitness for a particular purpose. This
code is provided 'as is' and Microsoft does not guarantee that the
following code can be used in all situations. Microsoft does not support
modifications of the code to suit customer requirements for a particular
purpose.
NOTE: In the following sample code, an underscore (_) at the end of a line
is used as a line-continuation character. For product versions that don't
not support the line-continuation character, remove the underscore and
combine that line with the next lines as a single statement when re-
creating this code.
Function ReplaceStr (TextIn, ByVal SearchStr As String, _
ByVal Replacement As String, _
ByVal CompMode As Integer)
Dim WorkText As String, Pointer As Integer
If IsNull(TextIn) Then
ReplaceStr = Null
Else
WorkText = TextIn
Pointer = InStr(1, WorkText, SearchStr, CompMode)
Do While Pointer > 0
WorkText = Left(WorkText, Pointer - 1) & Replacement & _
Mid(WorkText, Pointer + Len(SearchStr))
Pointer = InStr(Pointer + Len(Replacement), WorkText, _
SearchStr, CompMode)
Loop
ReplaceStr = WorkText
End If
End Function
Function SQLFixup(TextIn)
SQLFixup = ReplaceStr(TextIn, "'", "''", 0)
End Function
Function JetSQLFixup(TextIn)
Dim Temp
Temp = ReplaceStr(TextIn, "'", "''", 0)
SQLFixup = ReplaceStr(Temp, "|", "' & chr(124) & '", 0)
End Function
SQLFixup should be used if your SQL statement is going to be used with Jet
SQL pass-through queries or with ODBCDirect, RDO, or ADO to a non-Jet back-
end database:
LName contains: O'Brien
SQL = "SELECT * FROM Employees WHERE LastName='" & _
SQLFixup(LName) & "'"
SQL now contains:
SELECT * FROM Employees WHERE LastName='O''Brien'
JetSQLFixup should be used if Jet is your database back-end, or if doing a
non-Pass-through query to an ODBC datasource:
UserID cntains: JohnDoe
Password contains: A2|4'5
SQL = "SELECT * FROM SecurityLevel WHERE UID='" & _
JetSQLFixup(UserID) & "' AND PWD='" & JetSQLFixup(Password) & "'"
SQL now contains:
SELECT * FROM SecurityLevel WHERE UID='JohnDoe'
AND PWD='A2' & chr(124) & '4''5'
Featured Post
Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
Suggested Courses
Course of the Month8 days, 14 hours left to enroll
721 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.