Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Escaping a single quotation within SQL query

Tags:

sql

escaping

ruby-on-rails

I have a table companies, which has two columns named name and address. By running the following code, new data are inserted into the table:

my_name = "my company name"
my_address = "ABC"

query = "INSERT INTO companies (name,address) VALUES ('#{my_name}','#{my_address}');"

ActiveRecord::Base.connection.execute(query);

If I change my_name value from "my company name" to "John's company", I will get a syntax error. This is because the query becomes:

"INSERT INTO companies (name,address) VALUES ('John's company','ABC');"

and 'John's company' has a single quotation mark within it.

Given that I have already used double quotation mark for the query string definition, how can I get rid of this error regarding the single quotation mark in my value?

like image 777
Leem.fin Avatar asked Nov 18 '11 08:11

Leem.fin

People also ask

How do I escape a special character in SQL query?

Use braces to escape a string of characters or symbols. Everything within a set of braces in considered part of the escape sequence. When you use braces to escape a single character, the escaped character becomes a separate token in the query. Use the backslash character to escape a single character or symbol.

How do you skip a line in SQL?

We can use the following ASCII codes in SQL Server: Char(10) – New Line / Line Break. Char(13) – Carriage Return. Char(9) – Tab.

Can you use single quotes in SQL?

Single quotes are used to indicate the beginning and end of a string in SQL. Double quotes generally aren't used in SQL, but that can vary from database to database. Stick to using single quotes. That's the primary use anyway.

How do I escape a quote in MySQL?

To insert binary data into a string column (such as a BLOB column), you should represent certain characters by escape sequences. Backslash ( \ ) and the quote character used to quote the string must be escaped.

1 Answers

If you must do it this way then use the quote method on the connection object:

quote(value, column = nil)
Quotes the column value to help prevent SQL injection attacks.

So something like this:

my_name    = ActiveRecord::Base.connection.quote("John O'Neil")
my_address = ActiveRecord::Base.connection.quote("R'lyeh")

query = "INSERT INTO companies (name,address) VALUES (#{my_name}, #{my_address})"

ActiveRecord::Base.connection.execute(query);

Never ever try to handle your own quoting. And don't try to use double quotes for quoting an SQL string literal, that's what single quotes are for; double quotes are for quoting identifiers (such as table and column names) in most databases but MySQL uses backticks for that.

like image 108
mu is too short Avatar answered Sep 30 '22 10:09

mu is too short
Sign in to Comment

Related questions

Oracle SQL order by in subquery problems!
PHP: Update multiple MySQL fields in single query
difference between ON Clause and using clause in sql
What are the disadvantages of having many indices?
CASE WHEN NULL makes wrong result in SQLite?
.mdf" failed with the operating system error 2(The system cannot find the file specified.)
determine DB2 text string length
1452 - Cannot add or update a child row: a foreign key constraint fails
In Sql Server how to Pivot for multiple columns
python + sqlite, insert data from variables into table
Order results to match the order of values in a WHERE IN expression
Script that provides the row counts and table names
Android Room Persistence Library - How to find entities with ids contained in list of ids?
Sql query for tree table
Sqlite using command line
How do I get constraints on a SQL table column
Mysql COUNT(*) on multiple tables
Using more than one index per table is dangerous?
How do I display todays date on SSRS report?
SQL Select 'n' records without a Table

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!