Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.databases.ms-sqlserver > #1226

Re: Escape Characters in Strings

From Gene Wirchenko <genew@ocis.net>
Newsgroups comp.databases.ms-sqlserver, microsoft.public.sqlserver.programming
Subject Re: Escape Characters in Strings
Date 2012-08-22 09:10 -0700
Organization A noiseless patient Spider
Message-ID <2s0a38toaa3n1th1e42kmat8n0ei6v9bah@4ax.com> (permalink)
References <n03838l2qs18qe540g4fe6j3stemkeo5pr@4ax.com> <XnsA0B7614C3AD91Yazorman@127.0.0.1>

Cross-posted to 2 groups.

Show all headers | View raw

On Wed, 22 Aug 2012 07:33:53 +0000 (UTC), Erland Sommarskog
<esquel@sommarskog.se> wrote:

>Gene Wirchenko (genew@ocis.net) writes:
>> 
>>      Does SQL Server have any string escape characters besides
>> doubling of quotation marks as in
>>           'This is a single quotation mark('').'
>>           "This is a double quotation mark("")."
>> I will have text which could contain both.
>
>Note that " is not a string delimiter, it is an identifier delimiter. 
>...unless QUOTED_IDENTIFIER is off, in which case it is a string delimiter,
>but that's a legacy setting you should stay away from.
>
>And, no, there is no other choice but double the single quotes. Or double 
>the double quotes or right brackets in an identifier.

     My question was really whether there are any other escape
characters?  Are there?
>
>>      Why, yes, I am sanitising input.  It is from a Web browser so I
>> do not see how I can avoid using sanitising.  If there is such a
>> solution, please let me know.
> 
>It's not clear to me why want to sanitise. You are not wrting code like:
>
>  sSQL = "SELECT ... FROM Orders WHERE CustomerID = " & custid_field
>
>are you? As long as you pass all user input as parameters in a proper way, 
>there is no need to modify the user input from a strict SQL perspective.

     No.  I will be passing parameters, but I need to be sure that
they are properly delimited and escaped.  For example, if I do not
escape quotes, it may allow trouble.

Sincerely,

Gene Wirchenko

Back to comp.databases.ms-sqlserver | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-21 15:39 -0700
  Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 07:33 +0000
    Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 09:10 -0700
      Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 21:14 +0200
        Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 13:53 -0700
          Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 23:35 +0200
            Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 17:38 -0700
              Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-23 10:22 +0000
          Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-23 07:05 -0400
            Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-23 23:13 +0200
              Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-23 18:22 -0400
                Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-24 07:40 +0000
                Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-24 06:16 -0400

csiph-web