Hi,
This is a generic question, but for arguement's sake, let's say, my
environment is SQL Server 2000.
It seems that setting quoted_identifier off is the best way to
accomodate all sort of data input/update especially for data set that
contains special characters like single quote as in O'Brien, other
funky stuff like %^$*@#(!).
However, this option won't help with a situation like data value of
5'9",
and let's say, we really can't predicate if this type of value will be
used for ColA or ColB or ColC ...
Example
create table #tmp (col1 varchar(30));
set quoted_identifier off;
insert into #tmp values("O'Brien's barking dog'");
-- success
insert into #tmp values("O'book has funky (%^$*7) stuff");
-- success
insert into #tmp values("John said "funky is OK" in his speech");
-- failed
Globaly search and replace the double quotes before insert/update is
just too "expensive", not a good option.
Now, if we can set a custom quoted_identifier, we can solve the above
problem easily, for instance,
if MS SQL Server permits/accepts
set quoted_identier = '//$$';
then
insert into #tmp values(//$$John said "funky is OK" in his
speech//$$);
(or the like)
would succeed
Any other thoughts/ideas? Thanks.
Quote "Never stop thinking even though at times it may produce waste,
which we all do, btw :) "
4  33333 
Doug Baroter (qw********@boxfrog.com) writes: It seems that setting quoted_identifier off is the best way to
accomodate all sort of data input/update especially for data set that
contains special characters like single quote as in O'Brien, other
funky stuff like %^$*@#(!).
Setting QUOTED_IDENTIFIER OFF may be a good idea when you are building
dynamic SQL strings and need to handle nested quote levels.
However, since QUOTED_IDENTIFIER must be ON for some features to be
available, this approach is not universally applicable.
Better is to use a function like the builtin quotename(). The only
drawback with quotename() is that it is restricted in input to 129 chars.
Then again, writing a scalar function that handles longer input is
no big deal.
Globaly search and replace the double quotes before insert/update is
just too "expensive", not a good option.
It's only the viable option. Dynamically building SQL statement rarely
involves reading a lot of rows. (Although the dynamic SQL may operate
on many rows.)
--
Erland Sommarskog, SQL Server MVP, so****@algonet.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp
"Greg D. Moore \(Strider\)" <mo*****@greenms.com> wrote in message news:<7C*******************@twister.nyroc.rr.com>. .. "Doug Baroter" <qw********@boxfrog.com> wrote in message
news:fc**************************@posting.google.c om...
Globaly search and replace the double quotes before insert/update is
just too "expensive", not a good option.
Actually it IS the good option and the most common.
It may not be, for instance, I have 28 columns for text data, and I
don't know what users are going to input/enter, the global search and
replace would have to be processed 28 times, I consider that
expensive, hence not a desirable option. As for "the most common" one
because there does not seem to be a better one yet, "most common"
seldom equates to the best or the most desirable.
Is my following suggestion pushing the envelope or you don't technical
need for it?
if MS SQL Server permits/accepts
set quoted_identier = '//$$';
then
insert into #tmp values(//$$John said "funky is OK" in his
speech//$$);
(or the like)
would succeed
I know everyting below. Thanks anyway.
but doubling single quotes.
i.e. whatever is passing your data to your SQL Server should take:
O'Reilly and make it O''Rielly (note, two SINGLE quotes, not a single double
quote) and then encapsulate that in single quotes.
So you get:
create table quotetest
(
teststring varchar(20)
)
insert into quotetest (teststring) values ('O''Reilly')
select * from quotetest
drop table quotetest
That will work.
Now, if we can set a custom quoted_identifier, we can solve the above
problem easily, for instance,
if MS SQL Server permits/accepts
set quoted_identier = '//$$';
then
insert into #tmp values(//$$John said "funky is OK" in his
speech//$$);
(or the like)
would succeed
Any other thoughts/ideas? Thanks.
Quote "Never stop thinking even though at times it may produce waste,
which we all do, btw :) "
Erland Sommarskog <so****@algonet.se> wrote in message news:<Xn**********************@127.0.0.1>... However, since QUOTED_IDENTIFIER must be ON for some features to be
available, this approach is not universally applicable.
For instance?
Better is to use a function like the builtin quotename(). The only
drawback with quotename() is that it is restricted in input to 129 chars.
Then again, writing a scalar function that handles longer input is
no big deal.
How about execution efficiency if I have 28 to 45 columns of text data
where I don't know what data users may enter?
What do you think of the following scenario? justifiable or not?
Thanks.
Did "QUOTED_IDENTIFIER must be ON for some features to be available"
imply that this suggestion may not be able to accomodate/support
existing features?
if MS SQL Server permits/accepts
set quoted_identier = '//$$';
then
insert into #tmp values(//$$John said "funky is OK" in his
speech//$$);
(or the like)
would succeed
Doug Baroter (qw********@boxfrog.com) writes: How about execution efficiency if I have 28 to 45 columns of text data
where I don't know what data users may enter?
In that case you can kill two birds with one stone. Write a stored
procedure to insert the values, and call the stored procedure with
the RPC mechanism. In this, you don't even have to bother. And your
code executes faster, because RPC is faster than calling stored
procedures by passing EXEC commands, which is faster by sending
INSERT statements.
(In ADO, you get RPC by setting commandtype to "adStoredProcedure", and
the you use the .Parameters collection to pass the parameters.
Did "QUOTED_IDENTIFIER must be ON for some features to be available"
imply that this suggestion may not be able to accomodate/support
existing features?
Probably. I have not penetrated exactly what go wrong with indexed
views and indexed computed columns if the restriction on QUOTED_IDENTFIER
was lifted.
In any case, the suggestion is useless, because whatever delimiter
you pick, the users can always use that delimiter in their input.
And this is not only an issue of usuability, but also about security.
By accepting user input without any processing, you open yourself to
SQL injection. For details see, http://www.algonet.se/~sommar/dynami...html#Security2.
--
Erland Sommarskog, SQL Server MVP, so****@algonet.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Roy W. Andersen |
last post by:
I've been searching google about this for days but can't find anything,
so I'm hoping someone here can help me out.
I'm trying to create zip-files without needing the zip-file extension in
PHP,...
|
by: Barry Olly |
last post by:
Hi,
I'm working on a mini content management system and need help with
dealing with special characters.
The input are taken from html form which are then stored into a
varchar column in...
|
by: Ewok |
last post by:
let me just say. it's not by choice but im dealing with a .net web app (top
down approach with VB and a MySQL database) sigh.....
Anyhow, I've just about got all the kinks worked out but I am...
|
by: Sakharam Phapale |
last post by:
Hi All,
I am using an API function, which takes file path as an input.
When file path contains special characters (@,#,$,%,&,^, etc), API function
gives an error as "Unable to open input file"....
|
by: Carl Mercier |
last post by:
Hi,
Is it possible to use special characters like \n or \t in a VB.NET
string, just like in C#? My guess is NO, but maybe there's something I
don't know.
If it's not possible, does anybody...
| | |
by: david.lindsay.green |
last post by:
Hello all, I am quite new a web scripting and making web pages in
general and I have stumbled across a problem I have as yet been unable
to solve. I am trying to take the contents of a textarea box...
|
by: Doc |
last post by:
Hello!
I'm experiencing a little problem counting the number of characters in
a textarea on a html page.
This is the content type of my HTML document
content="text/html; charset=iso-8859-1"
...
|
by: Trac Bannon |
last post by:
When I load XML from a file into a dotNet XMLDataDocument, the UTF-8 codes
are resolved but the 5 special XML entities are not.
How can I force those 5 special character types to be translated?
|
by: KevinADC |
last post by:
Purpose
The purpose of this article is to discuss the difference between characters inside a character class and outside a character class and some special characters inside a character class....
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
