I have a trouble with a hand-writting XML. The XML is generated by concat string as this :
ReturnXML += "<agentchimique ";
ReturnXML += "id_prod=\"" + Produit.Id + "\" ";
ReturnXML += "nom_com_prod=\"" + Produit.NomComProd + "\" ";
ReturnXML += "nom_four=\"" + Produit.Fournisseur.NomFour + "\" ";
ReturnXML += "PhraseR=\"" + Produit.PhrasesR.Replace( "<br/>", "#" ) + "\" ";
ReturnXML += "PhraseS=\"" + Produit.PhrasesS.Replace( "<br/>", "#" ) + "\" ";
ReturnXML += "numfds_prod=\"" + Produit.NumfdsProd.ToString() + "\" ";
ReturnXML += "transverse_prod=\"" + Produit.TransverseProd.ToString() + "\" ";
This is only a few part of the whole XML and as you can see, all data is in attribute...
But some parameters as Produit.PhrasesR or Produit.PhrasesS can contains illegal character as < > or &.
This XML is stored as text in SQL and executed by SQL server, with the stored procedure sp_xml_preparedocument to be read in a report services.
This XML can be used too as data to generate as a webpage.
So, what is the quickest and easiest solution to resolve this encoding problem, as know I can not rewrite a true compliant XML (I don't have any time for this), and this XML is used on many place in my project (replace character would be the easiest but it demand to replace back in reports and webpage).
Thanks for your helping.
You can use SecurityElement.Escape
ReturnXML += "nom_four=\"" + SecurityElement.Escape(Produit.Fournisseur.NomFour) + "\" ";
This will replace < with <, > with > etc.
Although you really should use XDocument to build your xml correctly.
You have to escape them with their ASCII equivalents:
'<' must become '<'
'>' must become '>'
'&' must become '&'
No shortcuts that I know of.
I don't think your issue is SQL. Magic characters in XML make it ill-formed. Is the XML you create valid?
Related
I'm receiving dates in a MMddyyyy format but want to convert it to the date format in SQL/SSIS yyyy-MM-dd, how can I do so using an SSIS expression.
An example of dates I'm receiving is 03051978 but want it to appear in 1978-03-05.
Thank you
You can use the following expression:
(DT_DATE)(RIGHT("0000" + RIGHT("03051978",4),4) + "-" + RIGHT("00" + LEFT("03051978",2),2) + "-" + RIGHT("00" + SUBSTRING("03051978",3,2),2))
Just replace "03051978" with the column name, as an example:
(DT_DATE)(RIGHT("0000" + RIGHT([DateColumn],4),4) + "-" + RIGHT("00" + LEFT([DateColumn],2),2) + "-" + RIGHT("00" + SUBSTRING([DateColumn],3,2),2))
Screenshot from SSIS expression tester tool
Here is your SSIS expression. Obviously, the assumption here is that day and month parts are always 2 digits:
(DT_DBDATE)(SUBSTRING(col,5,4) + "-" + SUBSTRING(col,1,2) + "-" + SUBSTRING(col,3,2))
I'd use a script component.
DateTime.ParseExact([datecol],"MMddyyyy", System.Globalization.CultureInfo.InvariantCulture);
I have this query below that is working fine on MySql and Oracle but fail on SQLServer:
#Query("SELECT ca FROM ContextAccess ca " + "LEFT JOIN UserContextAccess uca on ca.id = uca.id " +
"LEFT JOIN RegularUserInfo rui on rui.user = uca.user " +
"WHERE ca.context = :context and (COALESCE(:roles, null) is null or ca.role in (:roles)) " +
"AND (:name is null or ca.accessType='GROUP' or CONCAT(rui.firstName,' ',rui.lastName) like CONCAT(:name,'%') " +
"or CONCAT(rui.lastName,' ',rui.firstName) like CONCAT(:name,'%'))")
I have this stacktrace:
com.microsoft.sqlserver.jdbc.SQLServerException: The data types varbinary and varchar are incompatible in the add operator.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:262)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1624)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:594)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:524)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7194)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2979)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand(SQLServerStatement.java:248)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement(SQLServerStatement.java:223)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.executeQuery(SQLServerPreparedStatement.java:446)
the problem come from CONCAT(:name,'%')
I can solve it by using '+' operator like this :name + '%' but after it's not working on Oracle
Do you have an idea to solve this problem ?
Thanks,
You can use CONCAT(:name,\"%\")
The double-quote character has to be escaped with a backslash in a Java string literal.
I put a SQL statement into a button in visual to make it insert data in the DB and when I touch it, this error happens:
Conversion from string "Insert into TBL_Usuario_102 valu" to type 'Double' is not valid.
This is the code that's in the button:
Private Sub Guardar_Click(sender As Object, e As EventArgs) Handles Guardar.Click
If NombreDePersona.Text <> "" And Cedula.Text <> "" And RepetirContraseña.Text <> "" And Contraseña.Text <> "" Then
If (RepetirContraseña.Text = Contraseña.Text) Then
instruccionSQL = New SqlClient.SqlCommand("Insert into TBL_Usuario_102 values" +
"(" + Cedula.Text + "," +
NombreDePersona.Text + "," + 3 +
"," + Contraseña.Text + "," +
FechaInclusion.Text + "," + 0 +
"," + FechaInclusion.Text + "," + 3 + ")")
MsgBox("Datos Guardados Correctamente")
Cedula.Clear()
NombreDePersona.Clear()
Contraseña.Clear()
RepetirContraseña.Clear()
Else
MsgBox("Las contraseñas no coinciden")
End If
Else
MsgBox("Escriba en Cada Campo")
End If
End Sub
The SQL connection is in a module and it working good because when I insert the data manually in SQL Server the login works fine.
The type of data in the table of the database is in this order
varchar(15)
varchar(20)
int
varchar(50)
datetime
bit
datetime
int
Creating a SQL string like this is dangerous, as it can lead to SQL injection attacks. Usually it is recommended to use command parameters; however, you can also escape single quotes in strings by doubling them. This should make such an attack impossible. Command parameters also have the advantage that you don't have to care about the formatting of strings (and escaping them), numbers, Booleans and dates. E.g. see: How to pass a parameter from vb.net.
As it is now, there is another problem with your SQL statement. Strings must be enclosed in single quotes. Also use & for string concatenation. Not + (it's this + which let's VB think that you want to add Doubles).
The type of your texts and numbers inputs does not seem to match the one in the table (is NombreDePersona a varchar(20)?) and you are inserting FechaInclusion twice.
I would also specify the column names explicitly
INSERT INTO TBL_Usuario_102 (column_name1, column_name2, ...) values ('a text', 3, ...)
Finally, you don't execute your command. After having opened a connection:
instruccionSQL.ExecuteNonQuery()
I am performing pattern matching on #ProductDescription_Glossary in SQL Server 2005 to replace complete words.
#GlossaryKeyword variable contains word to be matched and replaced.
The following code replaces #GlossaryKeyword found at the beginning, at the end and in the end of #ProductDescription_Glossary, but this code cannot handle replacement successfully if #ProductDescription_Glossary contains parentheses at start or end of word
Case 1: this case is working properly - Heather is not replaced with tooltip link with word Heatherd
#GlossaryKeyword = Heather
#ProductDescription_Glossary = Heathered
Case 2: this case fails - In this case Heather is replaced, my requirement is that, heather do not get replaced, as in case 1 so provide me with required pattern.
#GlossaryKeyword = Heather
#ProductDescription_Glossary = (Heathered
Thanks in advance.
Note: #GlossaryKeyword has alpha numeric, hyphen and / character only i,e (0-9, A-Z, a-z, -, /)
#ProductDescription_Glossary contains HTML tags, which are handled by default (may be due to collation settings on my server)
Code:
if PATINDEX ('%[^a-z]' + #GlossaryKeyword + '[^a-z]%','.' + #ProductDescription_Glossary + '.') > 0
BEGIN
SET #ProductDescription_Glossary = REPLACE(#ProductDescription_Glossary,#GlossaryKeyword, '<a target="_blank" id="q_' + CAST (#GlossaryID AS VARCHAR(10)) + '" class="anchor_regular_Mehroon" href="javascript: void(0);">' + #GlossaryKeyword + '</a>')
SET #GlossaryToolTip = #GlossaryToolTip + '<div id="a_q_' + CAST (#GlossaryID AS VARCHAR(10)) + '" class="toolTip_glossary" style="display:none;">' + #GlossaryKeywordDescription + '</div>'
END
Just as ( ) to the not
select PATINDEX('%[^a-z(]'+ 'Heather' + '[^a-z)]%', '(Heathered red, purple, royal and navy)')
And it is not regex.
And you want to exclude ( - not include.
I'm using Java servlets to develop a Google App Engine application. I need to write up a query with more than 1 condition in the where clause. The commented out line below gives me query_parsing error. Is there a way to add more than one condition in the where clause?
String query = "select from " + Human.class.getName();
query += " where name == '" + request.getParameter("name") + "'";
//query += " and lastname == '" + request.getParameter("lastname") + "'";
List<Human> humans = (List<Human>) pm.newQuery(query).execute();
I know this is possible with JDO queries such as the below. However, my version is different. I'm using a String object to write up the query and then execute it with persistence manager (Please see above).
Query query = pm.newQuery(Employee.class);
query.setFilter("lastName == lastNameParam");
query.setOrdering("hireDate desc");
query.declareParameters("String lastNameParam");
In your first code snippet, I believe the issue is the word 'and', which should be '&&'. To have multiple filters, as in your second snippet, you would also use the '&&' operator.
String query = "select from " + Human.class.getName();
query += " where name == '" + request.getParameter("name") + "'";
query += " && lastname == '" + request.getParameter("lastname") + "'";
List<Human> humans = (List<Human>) pm.newQuery(query).execute();
or
Query query = pm.newQuery(Employee.class);
query.setFilter("lastName == lastNameParam && name == nameParam");
query.setOrdering("hireDate desc");
query.declareParameters("String lastNameParam");
query.declareParameters("String nameParam");