When I prepare a statement with bindValue the placeholder mark is not replaced if it is surrounded with single quotes. This is problematic since in SQL strings are surrounded by single quotes to avoid keyword conflicts.
See my attachements with screenies of the content of the database once inserted with and once without single quotes.
I already reported a bug, but meanwhile I am not sure anymore if this is not just an encoding problem. Is it correct to use single quotes, i.e. should this work/ is this really a bug?
With quoutes
Without quoutes
It is not a bug. Just don't use the single quotes. The bindValue mechanism does not just replace your :path with a string in your statement. No risk of name conflicts. See it as some kind of different namespace. :-)
http://en.wikipedia.org/wiki/Prepared_statement: Prepared statements are normally executed through a non-SQL binary protocol, for efficiency and protection from SQL injection, but with some DBMSs such as MySQL are also available using a SQL syntax for debugging purposes.
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements: With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.
Related
I'd like to know which characters are safe for any use in SAS macros.
So what I mean by special characters here is any character (or group of characters) that can have a specific role in SAS in any context. I'm not that interested in keywords (made of a-z 1-9 chars).
For example = ^= ; % , # are special (not sure if # is actually used in SAS, but it's used for doc so still count as a parameter that is not 'safe for all uses').
But what about $ ! ~ § { } ° etc ?
This should include characters that are special in PROC SQL as well.
I'd like to use some of these characters and give them a special meaning in my code, but I'd rather not conflict with any existing use (I'm especially interested in ~).
A bit of general reference:
reserved macro
words
Macro word rules
SAS operators and mnemonics
Rules for SAS names
I think the vast majority of the characters on a standard English keyboard are used somewhere or other in the SAS language.
To address your examples:
$ Used in format names, put/input statements, regular expression definitions...
! 'or' operator in some environments
~ 'not' operator
§ Not used as far as I know
{} Can be used for data step array references & definitions
° Not used as far as I know
None of the above do anything special in a macro context, as Tom has already made clear in his answer.
Maybe SAS Operators in Expressions can help you for ~,
looking at the tables
Comparison Operators and
Logical Operators
The main triggers in macro code are & and % which are used to trigger macro variable references and macro statements, functions or macro calls.
The ; (semi-colon) is used in macro code (as in SAS code) to indicate the end of a statement.
For passing parameters into macro parameters you mainly need to worry about , (comma). But you will also want to avoid unbalanced (). You should avoid use = when passing parameter values by position.
You can protect them by adding quotes or extra () around the values. But those characters become part of the value passed. You can use macro quoting to protect them.
%mymac(parm1='1,200',parm2=(1,200),parm3=%str(1,200),parm4="a(b")
Equal signs can be included without quoting as long as your call is using named parameters.
%mymac(parm1=a=b)
In addition to the previous answers;
% is also used to include files in your program. %include.
Using special characters may cause your code to get stuck in a loop due to unbalanced quotes. SAS Note.
If you run into this just submit the magic string below:
*';*";*/;run;
I have a requirement to read the string with both single quotes and without quotes from a macro retrieve_context.
While calling the macro, users can call it with either single quotes or without quotes, like below:
%retrieve_context('american%s choice', work.phone_conv, '01OCT2015'd, '12OCT2015'd)
%retrieve_context(american%s choice, work.phone_conv, '01OCT2015'd, '12OCT2015'd)
How to read the first parameter in the macro without a single quote?
I tried %conv_quote = unquote(%str(&conv_quote)) but it did not work.
You're running into one of those differences between macros and data step language.
In macros, there is a concept of "quoting", hence the %unquote macro function. This doesn't refer to traditional " or ' characters, though; macro quoting is a separate thing, with not really any quote characters [there are some sort-of-characters that are used in some contexts in this regard, but they're more like placeholders]. They come from functions like %str, %nrstr, and %quote, which tokenize certain things in a macro variable so that they don't get parsed before they're intended to be.
In most contexts, though, the macro language doesn't really pay attention to ' and " characters, except to identify a quoted string in certain parsing contexts where it's necessary to do so to make things work logically. Hence, %unquote doesn't do anything about quotation marks; they are simply treated as regular characters.
You need to, instead, call a data step function to remove them (or some other things, but all of them are more complicated, like using various combinations of %substr and %index). This is done using %sysfunc, like so:
%let newvar = %sysfunc(dequote(oldvar));
Dequote() is the data step function which performs largely the same function as %unquote, but for normal quotation characters (", '). Depending on your ultimate usage, you may need to do more than this; Tom covers several of these possibilities.
If the users are supplying your macro with a value that may or may not include outer quotes then you can use the DEQUOTE() function to remove the quotes and then add them back where you need them. So if your macro is defined as having these parameters:
%macro retrieve_context(name,indata,start,stop);
Then if you want to use the value of NAME in a data step you could use:
name = dequote(symget('name'));
If you wanted to use the value to generate a WHERE clause then you could use the %SYSFUNC() macro function to call the DEQUOTE() function. So something like this:
where name = %sysfunc(quote(%qsysfunc(dequote(%superq(name)))))
If your users are literally passing in strings with % in place of single quotes then the first thing you should probably do is to replace the percents with single quotes. But make sure to keep the result macro quoted or else you might end up with unbalanced quotes.
%let name=%qsysfunc(translate(&name,"'","%"));
First of all, I use C# 4.0 to parse the code of a VB6 application.
I have some old VB6 code and about 500+ copies of it. And I use a regular expression to grab all kinds of global variables from the code. The code is described as "Yuck" and some poor victim still has to support this. So I'm hoping to help this poor sucker a bit by generating overviews of specific constants. (And yes, it should be rewritten but it ain't broke, so...)
This is a sample of a code line I need to match, in this case all boolean constants:
Public Const gDemo = False 'Is this a demo version
And this is the regular expression I use at this moment:
Public\s+Const\s+g(?'Name'[a-zA-Z][a-zA-Z0-9]*)\s+=\s+(?'Value'[0-9]*)
And I think it too is yuckie, since the * at the end of the boolean group. But if I don't use it, it will only return 'T' or 'F'. I want the whole word.
Is this the proper RegEx to use as solution or is there an even nicer-looking option?
FYI, I use similar regexs to find all string constants and all numeric constants. Those work just fine. And basically the same .BAS file is used for all 50 copies but with different values for all these variables. By parsing all files, we have a good overview of how every version is configured.
And again, yes, we need to rebuild the whole project from scratch since it becomes harder to maintain these days. But it works and we need the manpower for other tasks. It just needs the occasional tweaks...
You can use: Public\s+Const\s+g(?<Name>[a-zA-Z][a-zA-Z0-9]*)\s+=\s+(?<Value>False|True)
demo
I want to learn how to add spaces in variable names.
I know that a lot languages prevent me from doing this, but I believe that there is a trick to do this because I saw someone did it in MQL5
A MetaTrader Terminal allows to show a UI-Dialogue Panel for MMI-assisted setting values for input and extern variables declared in { Expert Advisor | Technical Indicator | Script } code, during a code-execution launch.
( Ref. a picture below ): .
If you really want to be evil you can sometimes use the left-to-right mark, U+200E which looks like a regular space but is generally not considered whitespace. Different languages and/or specific platforms may behave differently.
This trick seems to work in C# and apparently you can do similar things in ruby.
I tried this using g++ and luckily for everyone's sanity it is not allowed:
foo.cc:5:10: error: non-ASCII characters are not allowed outside of literals and identifiers
int a<U+200E> b = 3;
Please don't do this outside of pranks and April fool's day jokes.
In C++ you can't put spaces in variable names but you can get what you want using a std::map.
For example:
#include <map>
#include <string>
int main()
{
std::map<std::string, std::string> vars;
vars["Time Frame"] = "15 minutes";
vars["Indicator Period"] = "16";
// ... etc
}
The std::map is an associative container that maps one std::string onto another.
Depending on how you intend to use the map you may also want to consider using an std::unordered_map which should have higher performance but will not keep the keys sorted and may have a higher memory usage.
As much as I know, there isn't any option to add spaces to variables name.
The trouble with using spaces in names (whether filenames, variable names or something else) is that you need to have some other mechanism for determining what is part of this name and what is part of the next section of code. Your sample looks like a form, so that has it's own formatting and structure.
SQL does allow you to "quote" variable names with either [name with space] or with backticks `name with space`.
Most other languages do not allow spaces in variable names, because any whitedspace is considered a separator for different lexical unit [different name/word/variable]. There is no way you can change this, as it would alter the meaning of "normal code". Most languages do allow/use _ as a "space in names" character.
Of course, if you have "variables" that are your own construct, read from for example a database or file, you can use your own syntax, and use for example std::map<std::string, sometype> or std::unordered_map<std::string, sometype> to connect the string from your data to the corresponding value.
Spaces (white space) are used in C++ to isolate keywords and variable names, thus they cannot exist in a variable name or the compiler will treat the text as multiple identifiers.
Example - valid: static const unsigned int my_variable = 6U;
If there is a space between my and variable how does the compiler know which is the variable name? If there are two variables here, it doesn't make sense.
Also, as you can see, there may be more than one keyword in a statement.
I find a solution .In Mql5 , when you add a comment next to the variable name , it will appear instead of the variable name .
See this image : http://prntscr.com/79vaae
In MySQL, what are the differences between QUOTE() and mysql_real_escape_string()? From the MySQL documentation, I know the following:
QUOTE()
Written into SQL query
Escapes backslash, single quote, NUL, CTRL+Z
Returns a single-quoted string
Behavior relies on the MySQL server's character set
mysql_real_escape_string()
Written in C/C++ before a query is executed, allowing the escaped string to be read/modified before submission
Very inconvenient to use when compared to QUOTE()
Escapes backslash, single quote, NUL, CTRL+Z, and double quote, \n, and \r
Apparently adds more quotes to make characters easily readable in log files
Behavior relies on the MySQL server's character set
Ignoring logs, is it useful to escape \n and \r characters? With these two functions, is there a difference in client/server function efficiency? mysql_real_escape_string() sounds useful if it's desirable for a developer to process the escaped string before it's entered into a query. However, does QUOTE() not provide the most secure and reliable method of escaping strings?
I wonder if I should use QUOTE() for all queries in all languages and forget escaping strings with language-specific functions.
QUOTE()
mysql_real_escape_string()
String Literals
It seems that QUOTE() is meant to be used within SQL statements that construct other SQL statements. If you are outside of SQL, you should use mysql_real_escape_string().
[...] In a C program, you can use the mysql_real_escape_string() C API function to escape characters. [...] Within SQL statements that construct other SQL statements, you can use the QUOTE() function.
As explained at the bottom of String Literals (MySQL Manual).
QUOTE() is already in the query, so it's just as easy to break out of as if you had put nothing there. mysql_real_escape_string is essential to make an arbitrary string safe to shove in a query.
The problem of the function name being unwieldly can be easily solved by using some kind of alias. I'm no C/C++ user, but doesn't it have macros you can use to essentially write whatever you want and it gets replaced with the long function name?