What characters should be escaped in sql string parameters

Question

What characters should be escaped in sql string parameters

I need a complete list of characters that should be escaped in sql string parameters to prevent exceptions. I assume that I need to replace all offensive characters with a shielded version before passing it to the ObjectDataSource filter parameter.

+3

sql ado.net objectdatasource

Slim Jul 9 '09 at 17:49

source share

4 answers

Andrew Hare · Answer 1 · 2009-07-09T17:52:03+0000

No, the ObjectDataSource object will handle all the escaping for you. Any parameterized query also does not require escaping.

Ringding · Answer 2 · 2009-07-09T18:38:50+0000

, 99% , - , , . - . , , (, MySQL mysql_real_escape_string).

feihtthief · Answer 3 · 2009-07-09T18:10:55+0000

SQL: :

, . , , . , \x0000, , \x0000 .

, escape-. escape- .

\

\ Backspace

\

\ g Carriage return

\ t Horizontal tab

\ v Vertical tab

\ "Quotation mark

\ Backslash

\ xhhhh Unicode character in hexadecimal notation

Kevindeus · Answer 4 · 2012-04-11T19:04:48+0000

Here I used to get rid of the apostrophes. You can do the same with other offensive characters you encounter. (example in VB.Net)

Dim companyFilter = Trim(Me.ddCompany.SelectedValue)

If (Me.ddCompany.SelectedIndex > 0) Then
      filterString += String.Format("LegalName like '{0}'", companyFilter.Replace("'", "''"))
End If

Me.objectDataSource.FilterExpression = filterString

Me.displayGrid.DataBind()

What characters should be escaped in sql string parameters

More articles: