Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to escape a single quote to be used in an OData query?

Tags:

c#

odata

People also ask

How do you escape a single quote?

Single quotes need to be escaped by backslash in single-quoted strings, and double quotes in double-quoted strings.

How do you handle special characters in Odata query?

Do not use the “JavaScript String replace() Method”. It will replace the first occurrence of the special characters. If you have 2 occurance of the same special characters in the filtering parameter, it will fail. So use the regular expression to replace the characters.

How do you handle a single quote in SQL query?

The simplest method to escape single quotes in SQL is to use two single quotes. For example, if you wanted to show the value O'Reilly, you would use two quotes in the middle instead of one. The single quote is the escape character in Oracle, SQL Server, MySQL, and PostgreSQL.

How do you handle a single quote in a string?

You can put a backslash character followed by a quote ( \" or \' ). This is called an escape sequence and Python will remove the backslash, and put just the quote in the string. Here is an example. The backslashes protect the quotes, but are not printed.


Actually %27 is not a solution. The correct way to escape is to place two single quotes into the string instead one. In example "o''clock"


I want to expand upon the answer a bit so that it also applies to calling an oData Service Operation Action. The answer posted answer is correct, but there is a specific order in which the parameters to a service operation must encoded.

oData Service Operations receive primitive type parameters where strings are enclosed in a ' such that a valid url (pre encoding) will be as such

AddString?value='o''clock'

This will cause the server to see

AddString?value='o'

and

'clock'

will produce "Bad Request - Error in query syntax."

To correct this, you must double escape the ' and UrlEncode it prior to insertion into the url.

Do not UrlEncode the url itself.

Here's an example that will work.

// value passed as "o'clock"
public async Task AddString(string value)
{
    // Escape ' with '' and UrlEncode value
    value = HttpUtility.UrlEncode(value.Replace("'", "''"));

    string url = String.Format("AddString?value='{0}'", value);

    // No need to UrlEncode url here as dynamic content has already been escaped 

    // Execute .....
}

[WebGet]
public void AddString(string value) 
{
    // here value will be "o'clock"
}

It's actually described in oData docs: http://docs.oasis-open.org/odata/odata/v4.01/cs01/part2-url-conventions/odata-v4.01-cs01-part2-url-conventions.html#sec_URLComponents

For example, one of these rules is that single quotes within string literals are represented as two consecutive single quotes.

Example 3: valid OData URLs:

http://host/service/People('O''Neil')

http://host/service/People(%27O%27%27Neil%27)

http://host/service/People%28%27O%27%27Neil%27%29

http://host/service/Categories('Smartphone%2FTablet')

Example 4: invalid OData URLs:

http://host/service/People('O'Neil')

http://host/service/People('O%27Neil')

http://host/service/Categories('Smartphone/Tablet')

The first and second examples are invalid because a single quote in a string > literal must be represented as two consecutive single quotes. The third example is invalid because forward slashes are interpreted as path segment separators and Categories('Smartphone is not a valid OData path segment, nor is Tablet').