Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Correct String Escaping for T-SQL string literals

Tags:

c#

sql-server

tsql

I want to use a query as following, I am looking for exact information/link to escape strings

BookTitle is NVARCHAR(200)

SELECT * FROM Books WHERE BookTitle IN ('Mars and Venus', 'Stack''s Overflow \r\n')

Question: Does only "'" needs to be escaped or even \r\n needs to be escaped as well? MySql .Net Provider exposes a method to escape string values, is there any such function in Sql Server .Net Provider?

I probably need C# equivalent escaping for string values.

I am aware of Parameterized Command, but in order to minimize my server to client communication, and my values in IN clause are in number from 20 to 50, it becomes too much network expensive to run SELECTs for each value of BookTitle in one call. Rather running single query and returning all results cascaded helps saving network resources.

like image 677
Akash Kava Avatar asked Aug 12 '09 15:08

Akash Kava

People also ask

What characters should be escaped in SQL?

%, _, [, ], and ^ need to be escaped, and you will need to choose a suitable escape character, i.e. one that you aren't using elsewhere in your LIKE pattern.

How do you escape a string literal?

String literal syntaxUse the escape sequence \\ to represent a backslash character as part of the string. You can represent a single quotation mark symbol either by itself or with the escape sequence \' . You must use the escape sequence \" to represent a double quotation mark.

How do I escape a string in SQL?

The simplest method to escape single quotes in SQL is to use two single quotes. For example, if you wanted to show the value O'Reilly, you would use two quotes in the middle instead of one. The single quote is the escape character in Oracle, SQL Server, MySQL, and PostgreSQL.

How do I escape a special character in a string in SQL?

Use braces to escape a string of characters or symbols. Everything within a set of braces in considered part of the escape sequence. When you use braces to escape a single character, the escaped character becomes a separate token in the query. Use the backslash character to escape a single character or symbol.

1 Answers

SQL Server won't recognise the \r\n sequence, whether it's escaped or not.

You'll need to do something like this instead if you want to match the \r\n in BookTitle:

-- \r = CHAR(13)
-- \n = CHAR(10)
SELECT *
FROM Books
WHERE BookTitle IN ('Mars and Venus', 'Stack''s Overflow ' + CHAR(13) + CHAR(10))
like image 125
LukeH Avatar answered Oct 26 '22 00:10

LukeH
Sign in to Comment

Related questions

Convert DataTable to generic List?
SQL Server Trigger - Send Message to Queue
Difference between Expression.Call overloads?
Using keyboard shortcuts with LinkLabel controls
DataTable to List<object>
Multiple audio outputs in .Net
Does the C# Convert.ToDateTIme function read date as "dd/mm/yyyy" or "mm/dd/yyyy"?
How do you copy a file into SharePoint using a WebService?
How can I achieve non-infinite receive and send timeouts on a socket under Compact Framework?
Talking to a printer
C# or .NET Flushing Keyboard Buffer
C#: Pass a user-defined type to a Oracle stored procedure
Get MethodInfo for Extension Method
Generate a thumbnail of a Word document
Programmatically Cancel a SharePoint Workflow
Sorting an List<> with my custom order which is stored in another List (C#)?
Play sound in .NET using generated waveform data
C#: Initializing an event handler with a dummy
Why is OnClosing obsolete and should I migrate to OnFormClosing
Lambda Expression for Class Property

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!