Replace single quotes in SQL Server - sql-server

I have this function in SQL Server to replace single quotes.
But when I insert a single quote it throws an error on Replace(#strip,''','')):
Create Function [dbo].[fn_stripsingleQuote]
(#strStrip varchar(Max))
returns varchar
as
begin
declare #CleanString varchar(Max)
SET #var=(Replace(#strip,'',''))
return #var
end

You need to double up your single quotes as follows:
REPLACE(#strip, '''', '')

Try REPLACE(#strip,'''','')
SQL uses two quotes to represent one in a string.

If you really must completely strip out the single quotes you can do this:
Replace(#strip, '''', '')
However, ordinarily you'd replace ' with '' and this will make SQL Server happy when querying the database. The trick with any of the built-in SQL functions (like replace) is that they too require you to double up your single quotes.
So to replace ' with '' in code you'd do this:
Replace(#strip, '''', '''''')
Of course... in some situations you can avoid having to do this entirely if you use parameters when querying the database. Say you're querying the database from a .NET application, then you'd use the SqlParameter class to feed the SqlCommand parameters for the query and all of this single quote business will be taken care of automatically. This is usually the preferred method as SQL parameters will also help prevent SQL injection attacks.

You could use char(39)
insert into my_table values('hi, my name'+char(39)+'s tim.')
Or in this case:
Replace(#strip,char(39),'')

Looks like you're trying to duplicate the QUOTENAME functionality. This built-in function can be used to add delimiters and properly escape delimiters inside strings and recognizes both single ' and double " quotes as delimiters, as well as brackets [ and ].

Try escaping the single quote with a single quote:
Replace(#strip, '''', '')

We have to double the number of quotes.
To replace single quote :
REPLACE(#strip, '''', '')
To replace double quotes :
REPLACE(#strip, '''''', '')

If escaping your single quote with another single quote isn't working for you (like it didn't for one of my recent REPLACE() queries), you can use SET QUOTED_IDENTIFIER OFF before your query, then SET QUOTED_IDENTIFIER ON after.
For example
SET QUOTED_IDENTIFIER OFF;
UPDATE TABLE SET NAME = REPLACE(NAME, "'S", "S");
SET QUOTED_IDENTIFIER OFF;

I ran into a strange anomaly that would apply here. Using Google API and getting the reply in XML format, it was failing to convert to XML data type because of single quotes.
Replace(#Strip ,'''','')
was not working because the single quote was ascii character 146 instead of 39.
So I used:
Replace(#Strip, char(146), '')
which also works for regular single quotes char(39) and any other special character.

Try this :
select replace (colname, char(39)+char(39), '') AS colname FROM .[dbo].[Db Name];
I have achieved the desired result.
Example : Input value --> Like '%Pat') '' OR
Want Output --> *Like '%Pat') OR*
using above query achieved the desired result.

The striping/replacement/scaping of single quotes from user input (input sanitation), has to be done before the SQL statement reaches the database.

Besides needing to escape the quote (by using double quotes), you've also confused the names of variables: You're using #var and #strip, instead of #CleanString and #strStrip...

I think this is the shortest SQL statement for that:
CREATE FUNCTION [dbo].[fn_stripsingleQuote] (#strStrip varchar(Max))
RETURNS varchar(Max)
AS
BEGIN
RETURN (Replace(#strStrip ,'''',''))
END
I hope this helps!

select replace ( colname, '''', '') AS colname FROM .[dbo].[Db Name]

Related

Remove ALL white spaces in a string sql server

I'm trying to convert this '232431 K' into this '232431K' and I can't find a function that does this. All the references I have found are TRIM, RTRIM and LTRIM but these functions are not useful for me in this case because I don't have left or right white spaces to be removed, the white spaces are "inside" the string.
You can refer to Remove all spaces from a string in SQL Server.
In simple terms, you will need to use REPLACE function, such as REPLACE(stringValue, ' ', '')
In addition to using replace, on SQL Server 2017+ to avoid multiple nested functions, you can use translate if there are multiple characters in a string you want to remove:
Remove space, hyphen, slash:
declare #string varchar(50)='12345 67-9\x'
select Replace(Translate(#string, ' -\','???'),'?','')
Maybe try REPLACE like below
SELECT REPLACE(N'232431 K',' ','')
As asked in another comment
What if I have to replace ' ' or '-', is it possible to put it all using just one REPLACE function? For example REPLACE(stringValue, [' ', '-'], '')
you should use replace in conjuction with Translate function
select replace(translate (N'l;[pi-',';[-',' '),' ','')

SQL Server : display data/column from SELECT statement

I have a table with data that holds a bunch of HTML attributes.
For example: '<HTML><BODY></BODY></HTML>'
I would like to be able to write a SELECT statement that can grab those values, but display them modified.
So instead of displaying
'<HTML><BODY>DATA</BODY></HTML>'
I want to show:
'<HTML>
<BODY>DATA</BODY>
</HTML>'
Essentially, breaking out each one to a new line, based on finding a '>' value, without modifying the data.
I can't seem to find a way to do this. I tried looking into STRING_SPLIT, but I can't get that to apply from the SELECT part.
Any suggestions where I look?
Edit 2/22 - it appears REPLACE gets me further, but when reviewing this more, it may not be possible.
How would SQL know to break out to a new line when the ending HTML tag appears?
It's almost like I need to use a RegEx in here...
REPLACE(TD.DefDetails, '</', CHAR(13) + CHAR(10) + '</') As DefDetails
STRING_SPLIT can split a single column into multiple rows. STRING_SPLIT does require SQL Server Version 2016+. The following snippet does show an example for this scenario.
USE tempdb;
GO
DECLARE #HTMLString AS VARCHAR(100) = '<HTML><BODY></BODY></HTML>';
SELECT *
FROM STRING_SPLIT(#HTMLString,'>');
Actually appears this is done using REPLACE.
REPLACE(Table.DefDetails, '>', '>'+ CHAR(13) + CHAR(10)) As DefDetails
Demo on db<>fiddle
You can achieve it in this way
SELECT REPLACE('<HTML><BODY></BODY></HTML>', '>', '>'+ CHAR(13))
Or if you want to get the value into rows, you can do this way.
Select value + '>'
from STRING_SPLIT('<HTML><BODY></BODY></HTML>', '>')
where value <> ''
Output

How do I remove line feed characters when selecting data from SQL Server?

I insert data that contains a line feed character into the database. Then I retrieve that data. I am using this script to attempt to remove the line feed while selecting the data from SQL:
Select Replace(Replace stringname,char(10),'',char(32),'')) from tablename
The replace function seems to execute, but it does not remove the line feed correctly.
The syntax of your statment looks wrong, maybe you can try with something like this:
Select Replace(Replace(#str,CHAR(10),''),CHAR(13),'')
The inner replace relaces LF and the outer replace replace CR
Shouldn't it be Select Replace(Replace(stringname,char(10),''),char(13),'') from tablename?
Also you could use single replace Select Replace(stringname,char(13)+char(10),'') from tablename.
char(32) corresponds to a space symbol
(select Replace( (select REPLACE( ColName,CHAR(10),'')),char(13),''))
as ColAlias
from YourTable
Solved with following .
I had issues with in sql data which even can not be seen as well in sql, causing me problem in some jquery functions.
A line feed is CHAR(10); a carriage return is CHAR(13).
The following code will remove a line feed characters and replaces it with a zero-length string:
UPDATE Table_Name SET Field_Name = REPLACE(Field_Name,CHAR(10),'');
If you want remove CRLF from the end of a string you can use RTRIM in postgresql.
for update operation:
UPDATE tablename
SET columnname = RTRIM(RTRIM(columnname,chr(10)),chr(13))
WHERE columnname like '%' || chr(13) or columnname like '%' || chr(10)
or for select:
SELECT RTRIM(RTRIM(columnname,chr(10)),chr(13)) FROM tablename
if you want leading or both use LTRIM or BTRIM

line breaks lost in sql server

I am entering error information into an ErrorLog table in my database. I have a utility class to do this:
ErrorHandler.Error("Something has broken!!\n\nDescription");
This works fine. However, when I try to access this table, the line breaks no longer seem to be present.
If I SELECT the table:
SELECT * from ErrorLog ORDER BY ErrorDate
there are no line breaks present in the log. This is kind of expected, as line breaks in one-line rows would break the formatting. However, If I copy the data out, the line break characters have been lost, and the data is all on one line.
How do I get line breaks in data at the end of my query when I put line breaks in? I don't know if the string has been stripped of line breaks when it enters the table, or if the viewer in SQL Server Management Studio has stripped out the line breaks.
The data type of the column into which error messages are put is nvarchar(Max), if that makes a difference.
EDIT: Unexpectedly, Pendri's solution didn't work.
Here is an excerpt of the string just before it passes into the SQL server:
POST /ipn/paymentResponse.ashx?installation=272&msgType=result HTTP/1.0\n\rContent-Length: 833\n\rContent-Type:
And here is the same string when I extract it from the grid viewer in SQL Server Management Studio:
POST /ipn/paymentResponse.ashx?installation=272&msgType=result HTTP/1.0 Content-Length: 833 Content-Type:
The place where the line break should be has been double spaced.
Any ideas?
No need to replace string input\output, you need just pick up correct option:
Tools -> Options...
> Query Results
> SQL Server
> Results to Grid
set "Retain CR\LF on copy or save" to true.
And don't forget to restart your management studio!
according Charles Gagnon answer
SSMS replaces linebreaks with spaces in the grid output. If you use Print to print the values (will go to your messages tab) then the carriage returns will be displayed there if they were stored with the data.
Example:
SELECT 'ABC' + CHAR(13) + CHAR(10) + 'DEF'
PRINT 'ABC' + CHAR(13) + CHAR(10) + 'DEF'
The first will display in a single cell in the grid without breaks, the second will print with a break to the messages pane.
A quick and easy way to print the values would be to select into a variable:
DECLARE #x varchar(100);
SELECT #x = 'ABC' + CHAR(13) + CHAR(10) + 'DEF';
PRINT #x;
Update a couple years later.
As described here, one solution to preserve viewing linebreaks in SSMS is to convert the output to XML:
SELECT * FROM (
SELECT * from ErrorLog ORDER BY ErrorDate
) AS [T(x)] FOR XML PATH
Fortunately, if you have SSMS 2012, this is no longer an issue, as line breaks are retained.
I echo David C's answer, except you should use the "TYPE" keyword so that you can click to open the data in a new window.
Note that any unsafe XML characters will not work well with either of our solutions.
Here is a proof of concept:
DECLARE #ErrorLog TABLE (ErrorText varchar(500), ErrorDate datetime);
INSERT INTO #ErrorLog (ErrorText, ErrorDate) VALUES
('This is a long string with a' + CHAR(13) + CHAR(10) + 'line break.', getdate()-1),
('Another long string with' + CHAR(13) + CHAR(10) + '<another!> line break.', getdate()-2);
SELECT
(
SELECT ErrorText AS '*'
FOR XML PATH(''), TYPE
) AS 'ErrorText',
ErrorDate
FROM #ErrorLog
ORDER BY ErrorDate;
I can confirm that the line breaks are preserved when copying out of a grid in SSMS 2012.
try using char(13) + char(10) instead of '\n' in your string (define a constant and concatenate to your sql)
Another simple solution is to click the "results to text" button in SSMS. Its not super clean, but gives you visibility to line breaks with about half a second of work.
For SQL Server 2008, there is no provision to set "Retain CR\LF on copy or save" to true.
For this issue, what I did is that, replace char(13) with "\r" and replace char(10) with "\n" like below.
REPLACE(REPlACE([COLUMN_NAME],char(13), '\r'),CHAR(10),'\n')
And in the code-behind again I've replaced "\r\n" with a break tag.
I worked out in this way as there was no option provided in SQL 2008 as mentioned above. This answer might be an alternative though.
Thanks

Escape Character in SQL Server

I want to use quotation with escape character. How can I do to avoid the following error when one has a special character?
Unclosed quotation mark after the character string.
You can escape quotation like this:
select 'it''s escaped'
result will be
it's escaped
To escape ' you simly need to put another before: ''
As the second answer shows it's possible to escape single quote like this:
select 'it''s escaped'
result will be
it's escaped
If you're concatenating SQL into a VARCHAR to execute (i.e. dynamic SQL), then I'd recommend parameterising the SQL. This has the benefit of helping guard against SQL injection plus means you don't have to worry about escaping quotes like this (which you do by doubling up the quotes).
e.g. instead of doing
DECLARE #SQL NVARCHAR(1000)
SET #SQL = 'SELECT * FROM MyTable WHERE Field1 = ''AAA'''
EXECUTE(#SQL)
try this:
DECLARE #SQL NVARCHAR(1000)
SET #SQL = 'SELECT * FROM MyTable WHERE Field1 = #Field1'
EXECUTE sp_executesql #SQL, N'#Field1 VARCHAR(10)', 'AAA'
You can define your escape character, but you can only use it with a LIKE clause.
Example:
SELECT columns FROM table
WHERE column LIKE '%\%%' ESCAPE '\'
Here it will search for % in whole string and this is how one can use ESCAPE identifier in SQL Server.
You need to just replace ' with '' inside your string
SELECT colA, colB, colC
FROM tableD
WHERE colA = 'John''s Mobile'
You can also use REPLACE(#name, '''', '''''') if generating the SQL dynamically
If you want to escape inside a like statement then you need to use the ESCAPE syntax
It's also worth mentioning that you're leaving yourself open to SQL injection attacks if you don't consider it. More info at Google or: http://it.toolbox.com/wiki/index.php/How_do_I_escape_single_quotes_in_SQL_queries%3F
Escaping quotes in MSSQL is done by a double quote, so a '' or a "" will produce one escaped ' and ", respectively.
If you want to escape user input in a variable you can do like below within SQL
Set #userinput = replace(#userinput,'''','''''')
The #userinput will be now escaped with an extra single quote for every occurance of a quote
WHERE username LIKE '%[_]d'; -- #Lasse solution
WHERE username LIKE '%$_d' ESCAPE '$';
WHERE username LIKE '%^_d' ESCAPE '^';
FROM:
SQL Server Escape an Underscore
You could use the **\** character before the value you want to escape e.g
insert into msglog(recipient) values('Mr. O\'riely')
select * from msglog where recipient = 'Mr. O\'riely'
To keep the code easy to read, you can use square brackets [] to quote the string containing ' or vice versa .

Resources