How to write ' in SQL query?

Question

i need to use the Characters ' in access query.

but if i write select Fname from MEN where Fnale = 'j'o' i get error

how to write the Characters '

thank's in advance

Community · Accepted Answer · 2017-05-23 12:04:11Z

9

Try a backslash \' or two quotes ''.

This depends on your database. MySQL uses \' and Microsoft SQL and MS Access uses two quotes ''.

edited May 23, 2017 at 12:04

CommunityBot

11 silver badge

answered Nov 8, 2010 at 7:52

Pieter van Ginkel

29.7k8 gold badges77 silver badges114 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

Nick Over a year ago

This probably speaks for itself, but just to elaborate: You need the \ so the character following will be interpreted as plain-text character.

Larsenal · Accepted Answer · 2010-11-08 15:05:22Z

5

Single quotes can be escaped with two single quotes.

SELECT Fname FROM MEN WHERE Fnale = 'j''o'

edited Nov 8, 2010 at 15:05

answered Nov 8, 2010 at 7:53

Larsenal

51.5k43 gold badges155 silver badges224 bronze badges

Comments

GvS · Accepted Answer · 2010-11-08 08:35:11Z

3

For SQL Server:

var cmd = new SqlCommand("select fname from MEN where fnale = @query", myConnection);
cmd.Parameters.AddWithValue("@query", "j'o");

All solutions where you add your parameter to the sql string yourself are wrong (or at least high risk), because they are vulnarable for a SQL Injection Attack.

You mention "access query", for Microsoft Access / Ole use the following syntax:

var cmd = new OleDbCommand("select fname from MEN where fnale = ?", myConnection);
cmd.Parameters.AddWithValue("?", "j'o"); // Order does matter

edited Nov 8, 2010 at 8:35

answered Nov 8, 2010 at 8:24

GvS

52.5k16 gold badges104 silver badges139 bronze badges

3 Comments

David-W-Fenton Over a year ago

Have you given serious thought to what kind of real-world risk to SQL injection that there is with a Jet/ACE back end? It's a lot less than with most databases. I'm not disputing the advice in general, just pointing out that alarmism over SQL injection is mostly misplaced for your standard Access application. See stackoverflow.com/questions/512174/non-web-sql-injection/… for my take on the subject.

GvS Over a year ago

@David: I only have limited knowledge. A hacker might know a way to do a SQL Injection. I have some tools to make it harder, and I intend to use them.

David-W-Fenton Over a year ago

It depends on what you mean by "SQL injection." Most people mean something a lot more drastic than what is possible with Access/Jet/ACE.

Alex · Accepted Answer · 2010-11-08 07:55:34Z

2

I would use a literal string to avoid escaping everything

string query = @"select Fname from MEN where Fnale = 'jo'";

If you are escaping this with respect to SQL, then use another single quote to escape the quotes:

select Fname from MEN where Fnale = ''jo''

answered Nov 8, 2010 at 7:55

Alex

3,6522 gold badges21 silver badges27 bronze badges

Comments

Hans Keﬆing · Accepted Answer · 2010-11-08 08:32:08Z

2

As others said, you can escape the quotes. But if you are sending that query from C#, then it's better to use parameters - that way all escaping is done for you, so you can't forget some special case where user input can still cause unwanted effects. (little bobby tables, anyone? :-) )

edited Nov 8, 2010 at 8:32

answered Nov 8, 2010 at 8:16

Hans Keﬆing

39.5k10 gold badges84 silver badges119 bronze badges

Comments

Kamal · Accepted Answer · 2010-11-08 07:57:30Z

1

Try replacing ' with ''

answered Nov 8, 2010 at 7:57

Kamal

2,5222 gold badges35 silver badges48 bronze badges

Collectives™ on Stack Overflow

How to write ' in SQL query?

6 Answers 6

1 Comment

Comments

3 Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

1 Comment

Comments

3 Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related