21

I was trying to execute the below statement to escape single quotes (i.e. using two single quotes):

declare @year varchar(max)
set @year = '111,11';
exec ('SELECT * FROM SplitValues(' + @year + ','','')');

I even tried to use char(39) instead of quotes:

declare @year varchar(max)
set @year = '111,11';
exec ('SELECT * FROM SplitValues(' + @year + ',' + char(39) + ',' + char(39) + ')');

But it didn't help. These are the only two solutions that I found on this site. Any help?

This is the simplified query to clear up all your questions:

declare @year varchar(max)
set @year = '111,11';
SELECT * FROM SplitValues(@year , ',')

I want to achieve this, but using a dynamic query.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Saksham
  • 9,037
  • 7
  • 45
  • 73
  • Why do you need to use EXEC at all here? – Bridge Mar 14 '13 at 12:19
  • this is because the query on which i am working right now is very complex and cannot be posted here. this is just a glimpse of what i am trying to do. – Saksham Mar 14 '13 at 12:24
  • Possible duplicate of *[Replace single quotes in SQL Server](http://stackoverflow.com/questions/1440733/replace-single-quotes-in-sql-server)*. – Peter Mortensen Jan 25 '16 at 14:50

4 Answers4

38

A word of advice. When testing a dynamic script, first just display it instead of executing it. That way you will be able to see it exactly as it would be seen by the EXEC statement.

Now to the issue. You should keep in mind that you are not passing the variable to SplitValues but are instead concatenating the variable's value into the script. Since the value is varchar, it should be concatenated with quotation marks around it. The absence of them is the only problem really.

The quotes around the second argument, the comma, are escaped correctly in both cases. So, just use either of the methods to add the quotes around the first argument:

  • repetition of the quotation mark:

    DECLARE @year varchar(max), @sql varchar(max);
SET @year = '111,11';
SET @sql = 'SELECT * FROM SplitValues(''' + @year + ''','','')';
SELECT @sql;

  • using CHAR(39):

    DECLARE @year varchar(max), @sql varchar(max);
SET @year = '111,11';
SET @sql = 'SELECT * FROM SplitValues(' + CHAR(39) + @year + CHAR(39) + ',' + CHAR(39) + ',' + CHAR(39) + ')';
SELECT @sql;

Obviously, the first method is more compact, but, like I said, both work well, as this SQL Fiddle demo clearly shows.

Note, however, that you could easily escape this issue in the first place, if you pardon the pun. Instead of EXEC (), you could use EXEC sp_executesql, which allows you to use parameters. Here's the same script rewritten to use sp_executesql:

DECLARE @year varchar(max), @delim char(1);
SET @year = '111,11';
SET @delim = ',';
EXEC sp_executesql
  N'SELECT * FROM SplitValues(@year_param,@delim_param)',
  N'@year_param varchar(max), @delim_param char(1)',
  @year,@delim;

As you can see, no need to worry about escaping the quotes: SQL Server takes the trouble of substituting the values correctly, not you.

Andriy M
  • 76,112
  • 17
  • 94
  • 154
  • Sorry, I'm not sure I understand. What is the issue you are observing here? – Andriy M Nov 26 '13 at 12:57
  • I wanted to point to the irony in your initial statement that you should print the command instead of executing it for verification, but sp_executesql doesn't give you the option to print the statement without executing it. If there is a way, perhaps you should demonstrate it. I guess the printing out the statement is of limited utility since it's more readable than the alternatives. – ATL_DEV Nov 27 '13 at 00:58
  • If the dynamic query doesn't contain any name parametrisation (and there was none in this case), it doesn't need to be built out of many parts glued together. So yes, using a variable to store the query merely to print it before/instead of its execution would appear to be of little value. – Andriy M Nov 27 '13 at 04:41
  • use CHAR (39) I liked – Aetos2501 Aug 05 '21 at 18:00
16

Just type single quote two times:

select 'that''s it'
AdamL
  • 12,421
  • 5
  • 50
  • 74
  • This is the first thing which i tried as you can see in my posted solution. – Saksham Mar 14 '13 at 12:18
  • 1
    Not exactly. ' + char(39) + ' gives you three quotes, while you need four. Let's try the entire statement: exec ('SELECT * FROM SplitValues(''' + @year + ''','''','''')'); – AdamL Mar 14 '13 at 12:22
3

Ok... you want to take this string:

SELECT * FROM SplitValues(@year , ',')

And make it a string like this:

'SELECT * FROM SplitValues('111,11' , '','')'

So, your final code would be:

declare @year varchar(max), @sql varchar(max)
set @year = '111,11';
set @sql = 'SELECT * FROM SplitValues(''' + @year + ''' , '''','''')'

select @sql

Actually, finally select you would use exec() instead. However you really should probably use sp_sqlexecute for stuff like this since you can use paramaterized queries.

Brandon
  • 68,708
  • 30
  • 194
  • 223
PilotBob
  • 3,107
  • 7
  • 35
  • 52
-1
declare @var1 varchar(100)
declare @var3 varchar(100)
declare @var4 varchar(100)

declare @var2 nvarchar(MAX)
set @var1 = ‘anil’
set @var4 = ‘1019518594’

set @var2 = N’select
a.*
from card b
join log a on a.Cust = b.ID
where a.c = ”’ + @var1 + ”’ and b.s =”’+ @var4 +””

print(@var2)

exec sp_executesql @var2
Pingolin
  • 3,161
  • 6
  • 25
  • 40
Anil Kale
  • 1