Beware of Comments in SQL < Eddie Awad’s Blog

Beware of Comments in SQL

In SQL and PL/SQL there are two comment styles you can use, single-line and multi-line:

Multi-line comments begin with a slash and an asterisk (/*) and end with an asterisk and a slash (*/). the comment can span multiple lines.
single-line comments begin with -- (two hyphens) and end with a line break. The comment text cannot extend to a new line. So, a double hyphen anywhere on a line turns the rest of the line into a comment.

The turns the rest of the line into a comment can sometimes cause unexpected behavior. My coworker was working on a Oracle form. He created an LOV based on a query similar to this (not the actual query, modified for simplicity):

select employee_id, first_name
from employees
where manager_id = 100 -- The king
and job_id = 'ST_MAN'

The above query returned 5 rows when executed in SQL*Plus. However, when bringing up the LOV in the form, there were 14 records. Where did the extra 9 rows come from? After turning trace on and analyzing the trace file, he noticed that somehow the above query was passed to Oracle like this:

select employee_id, first_name
from employees where manager_id = 100 -- The king and job_id = 'ST_MAN'

Which means that whatever is after the -- was treated as a comment and, as a result, was not executed. The where clause was effectively truncated which explains why he was getting 14 rows instead of 5. The fix was simple:

select employee_id, first_name
from employees
where manager_id = 100 /* The king */
and job_id = 'ST_MAN'

So, what have we learned? We learned to avoid commenting using two hyphens and instead use the slash and asterisk /* */ commenting style inside SQL statements.

Possibly related:

Tagged gotcha, sql | Post a Comment | Trackback URI

Comments (14)

Albaraha wrote:
That seems so stupid from Oracle, Eddie.
Does this apply to all versions?
October 9th, 2007, at 10:02 am #
Eddie Awad wrote:
I do not know if this applies to all versions. We have Oracle Forms version 6, EBS 11.5.10 and a 10gR1 database.
October 9th, 2007, at 10:25 am #
Gary wrote:
The /…/ style comments are much better if you ever have to dig SQL out of the V$SQL views
October 9th, 2007, at 3:17 pm #
Gary wrote:
[That looks odd - looks like it did something to the asterisks - try again /../]
October 9th, 2007, at 3:18 pm #
Eddie Awad wrote:
Gary, right, it’s better. The only disadvantage of the slash and asterisk commenting style is that it requires more typing than the double hyphen.

By the way, the stupid Markdown syntax ate the asterisks *. Sorry. I used the backslash \ to escape it.
October 9th, 2007, at 3:30 pm #
Matt wrote:
Huh, I’ve never experienced that so thanks for the tip. However, the biggest sin he committed was hard-coding a value instead of referencing the block.field value. Think of the noobs who will see this and do the same.
October 10th, 2007, at 7:14 am #
Eddie Awad wrote:
Matt, thanks for your tip too. I agree with you, hardcoding should be avoided. However, the query above is not the actual query that is used in the form. I just used a simple query here for demonstration purposes and to illustrate the problem that we faced.
October 10th, 2007, at 8:14 am #
William Robertson wrote:
So you mean, “Beware of comments in Oracle Forms LOV definitions”? That’s not the same thing as “Beware of Comments in SQL”.
October 10th, 2007, at 3:10 pm #
Eddie Awad wrote:
William, sure, if you want to be picky I can be even pickier: “Beware of double hyphen style comments in Oracle Forms LOV definitions”.

But, I can think of at least a couple of situations that have nothing to do with LOVs in Oracle Forms and where double hyphen style comments inside SQL can cause problems.

While debugging ColdFusion web applications, the SQL used in these applications is logged, usually as a long string with no line breaks. Having a double hyphen comment in the middle of it will cause a problem when trying to execute it as is. I usually need to edit the SQL first, which is a hassle. I think this is indirectly related to Gary’s comment above.

The second situation is, well, rather simple. For example:
```
SQL> select * from dual;

D
-
X

SQL> select * -- comment here from dual;
select * -- comment here from dual
                                 *
ERROR at line 1:
ORA-00923: FROM keyword not found where expected

SQL> select * /* comment here */ from dual;

D
-
X
```
Powel also shared an interesting thing about comments in SQL*Plus.
October 10th, 2007, at 3:43 pm #
William Robertson wrote:
Well, duh

Though it did remind me of the colleague who couldn’t work out why he got a “missing expression” error with something like this:

EXECUTE IMMEDIATE
‘SELECT –+ FULL(e) ‘ ||
‘ COUNT(*) ‘ ||
‘FROM emp e ‘ ||
‘WHERE e.empno = 42′ INTO v;
October 10th, 2007, at 4:29 pm #
William Robertson wrote:
…only with the line breaks I posted left in…
October 10th, 2007, at 4:30 pm #
Pythian Group Blog » Blog Archive » Log Buffer #66: a Carnival of the Vanities for DBAs wrote:
[…] Awad reminds us, beware of comments in SQL. Beware also of SQL injection. It is no laughing matter, I assure you. Nonetheless, Andrew Clarke […]
October 12th, 2007, at 9:40 am #
coskan wrote:
and what about this

http://coskan.wordpress.com/2007/04/23/oracle-idiosyncrasies-2/
October 15th, 2007, at 4:58 am #
Eddie Awad wrote:
Good one Coskan. By the way, Gary and William, I have fixed the formatting in the comments, so the line breaks and the /* */ are preserved.
October 15th, 2007, at 12:53 pm #

Beware of Comments in SQL

Comments (14)

Home > About This Post

Post a Comment

Search This Blog

Recent Articles

Most Viewed Articles

Recent Comments

Meta

Elsewhere, I

About This Blog