Explain Codes LogoExplain Codes Logo

How to insert a value that contains an apostrophe (single quote)?

sql
sql-injection
parameterized-queries
orm
Nikita BarsukovbyNikita Barsukov·Oct 16, 2024
TLDR

To handle the infamous SQL single quote, you simply double it:

INSERT INTO customers (name) VALUES ('Marilyn Monroe''s Fan Club');
-- Did Marilyn Monroe own this fan club? Gosh, SQL got confused!

But hey, we're living in the 21st century. Use parameterized queries to avoid manual escaping:

execute_query("INSERT INTO customers (name) VALUES (?);", ["Marilyn Monroe's Fan Club"]);
-- Ah, we've got clarity now, thanks to parameterized queries!

Escaping single quotes

SQL uses single quotes to recognize string literals. Think of it as a secret language understood only by SQL, where the single quote is a VIP pass. Unfortunately, this makes the apostrophe in O'Brien a bit of a party crasher.

The double quote VIP pass

So how do you let O'Brien in without any drama? Give him a duplicate pass—double the single quote:

UPDATE customers SET name = 'O''Brien' WHERE id = 1;
-- SQL VIP party: "Oh, O'Brien, the last time you came, you made us confuse our grammar!"

Parameterized query: The conga line

Parameterized queries allow every character, special or not, to join the party without the need for a VIP pass. They're considered more secure too and prevent gatecrashers like SQL injection:

query = "INSERT INTO customers (name) VALUES (?);"
params = ("O'Neil",)
cursor.execute(query, params)

ORM: The bouncer

Object-Relational Mapping (ORM) tools handle all the hassle of VIP passes and let in everyone safely:

new_customer = Customers(name="O'Neil")
session.add(new_customer)
session.commit()
-- ORM: "Relax O'Neil, no VIP drama in my club."

Dealing with complex situations

For raw SQL handling, understanding the nuances of special characters is critical.

REPLACE function: The Makeup artist

Replace each ' with '' using REPLACE function in SQL. It's like a makeup artist making everyone look 'double' good at the party:

INSERT INTO reviews (text) VALUES (REPLACE('Today''s performance was O''Neil''s best!', '''', ''''''));
-- REPLACE function: "I can even make the most awkward sentences look good!"

SQL Server's QUOTENAME: The Master of disguise

SQL Server gives us QUOTENAME function, which takes care of quoting identifiers:

SELECT QUOTENAME('O''Neil');
-- QUOTENAME: "We all wear masks, metaphorically speaking!"

Table variable: Safe practice zone

When you want a practice arena that doesn’t persist beyond the current session, use a table variable:

DECLARE @customers TABLE (name NVARCHAR(100));
INSERT INTO @customers (name) VALUES (N'O''Neill');
-- SQL: Wake up, O'Neill! This was just a rehearsal, the real party is over there.

Coding with standards

Doubling apostrophes looks like a neat little trick, but following coding best practices is crucial.

Safety first

Use ORM tools or parameterized queries for security against SQL injections and hassle-free coding.

Valuable symbols

Your code deserves to express maximum meaning, the same way you do. So, choose your symbols with care.

explain-codes / Sql / How to insert a value that contains an apostrophe (single quote)?
Linked

How to Handle a Single Quote in Oracle SQL

How do I escape a single quote in SQL Server?

What is the difference between single quotes and double quotes in PostgreSQL?

How to escape simple SQL queries in C# for SqlServer

Sql standard to escape column names?

Including parameters in OPENQUERY

How to deal with SQL column names that look like SQL keywords?

Escaping single quotesDealing with complex situationsCoding with standards
Linked

How to Handle a Single Quote in Oracle SQL

How do I escape a single quote in SQL Server?

What is the difference between single quotes and double quotes in PostgreSQL?

How to escape simple SQL queries in C# for SqlServer

Sql standard to escape column names?

Including parameters in OPENQUERY

How to deal with SQL column names that look like SQL keywords?