Dynamic SQL and Executing SQL Text - 'Incorrect Syntax Near Column' and 'Unclosed Quotation Mark After the Character String'

Question

I am having a problem figuring out where I have a syntax error and unclosed quotation marks.

When I run this query:

    query.CommandText = "DECLARE @sql varchar(max);"
    query.CommandText = query.CommandText + " DECLARE @cond varchar(max);"
    query.CommandText = query.CommandText + " SET @cond = replace(replace(@search, '''', ''''''),' ','"" and ""');"
    query.CommandText = query.CommandText + " SET @sql = 'SELECT distinct datawarehouse.dbo.orderformdump.itemno, basedescription,upc,CAST((SELECT [UNITPRICE] FROM PPPLTD.dbo.[ICPRICP] WHERE [ITEMNO] = replace([DataWarehouse].[dbo].[ORDERFORMDUMP].[ITEMNO],''-'','''') AND [PRICELIST] = (select top 1 priclist from PPPLTD.dbo.ARCUS where IDCUST = (select top 1 CUSTID from PPPLTD.dbo.WEBLOGINACCESS where [USER] = ''" + Session("Username") + "'')) and [CURRENCY] = ''CDN'' and DPRICETYPE = 1) AS DECIMAL(18,2)),caseqty, qty AS userquantity FROM [DataWarehouse].[dbo].[ORDERFORMDUMP] LEFT JOIN pppltd.dbo.weboeordd ON pppltd.dbo.WEBOEORDD.ITEMNO = REPLACE(datawarehouse.dbo.ORDERFORMDUMP.ITEMNO,''-'','''') and orduniq not in (select orduniq from pppltd.dbo.weboeordsubmit) and WEBOEORDD.ORDUNIQ in (select orduniq from pppltd.dbo.weboeordh where [user] = ''" + Session("Username") + "'') where (allowinbc = ''Yes'' or allowinab = ''Yes'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and (contains((basedescription, category, datawarehouse.dbo.orderformdump.description, itembrand, itemgroup, itemname, datawarehouse.dbo.orderformdump.itemno, itemsubtype, itemtype, subcat, upc), ''""' + @cond + '""'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'or (select top 1 1 from PPPLTD.dbo.ICITEMO where OPTFIELD like ''UPC%'' and VALUE like ''%' + replace(@search, '''', '''''') + '%'''"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) is not null) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'"
    query.CommandText = query.CommandText + " EXECUTE (@sql)"

The query runs fine however, when I add the line OR REPLACE(ITEMBRAND, '''''', '''') LIKE ''%' + @search + '%''

It gives me the errors:

Incorrect syntax near 'UPC'.

and

Unclosed quotation mark after the character string 'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) is not null) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'.

Here is the full query that's giving me trouble:

    query.CommandText = "DECLARE @sql varchar(max);"
    query.CommandText = query.CommandText + " DECLARE @cond varchar(max);"
    query.CommandText = query.CommandText + " SET @cond = replace(replace(@search, '''', ''''''),' ','"" and ""');"
    query.CommandText = query.CommandText + " SET @sql = 'SELECT distinct datawarehouse.dbo.orderformdump.itemno, basedescription,upc,CAST((SELECT [UNITPRICE] FROM PPPLTD.dbo.[ICPRICP] WHERE [ITEMNO] = replace([DataWarehouse].[dbo].[ORDERFORMDUMP].[ITEMNO],''-'','''') AND [PRICELIST] = (select top 1 priclist from PPPLTD.dbo.ARCUS where IDCUST = (select top 1 CUSTID from PPPLTD.dbo.WEBLOGINACCESS where [USER] = ''" + Session("Username") + "'')) and [CURRENCY] = ''CDN'' and DPRICETYPE = 1) AS DECIMAL(18,2)),caseqty, qty AS userquantity FROM [DataWarehouse].[dbo].[ORDERFORMDUMP] LEFT JOIN pppltd.dbo.weboeordd ON pppltd.dbo.WEBOEORDD.ITEMNO = REPLACE(datawarehouse.dbo.ORDERFORMDUMP.ITEMNO,''-'','''') and orduniq not in (select orduniq from pppltd.dbo.weboeordsubmit) and WEBOEORDD.ORDUNIQ in (select orduniq from pppltd.dbo.weboeordh where [user] = ''" + Session("Username") + "'') where (allowinbc = ''Yes'' or allowinab = ''Yes'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and (contains((basedescription, category, datawarehouse.dbo.orderformdump.description, itembrand, itemgroup, itemname, datawarehouse.dbo.orderformdump.itemno, itemsubtype, itemtype, subcat, upc), ''""' + @cond + '""'') OR REPLACE(ITEMBRAND, '''''', '''') LIKE ''%' + @search + '%'' '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'or (select top 1 1 from PPPLTD.dbo.ICITEMO where OPTFIELD like ''UPC%'' and VALUE like ''%' + replace(@search, '''', '''''') + '%'''"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) is not null) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'"
    query.CommandText = query.CommandText + " EXECUTE (@sql)"

I've tried printing the statment and I still can't find where my error is.

I'm adding the new line of SQL at the end of the 6th line.

Thank you.

Answer 1

Try changing REPLACE(ITEMBRAND, '''''', '''') to REPLACE(ITEMBRAND, '''''''', '''')

Added another ', so instead of REPLACE(ITEMBRAND ,''' ,'') being returned, it returns REPLACE(ITEMBRAND ,'''' ,'')