Anton Gogolev
Reputation: 115691
T-SQL: When string concatenation is the only option or how to correctly escape SQL strings
I'm well aware that the only reliable way to parameterize SQL statements is, well, with parameters, named or otherwise.
Unfortunately, it's not always possible to use those. For example,
create login [user] with password = 'p@$$w0rd'
will not accept parameters at all.
What will be the most reliable way, given the circumstances, to escape strings in T-SQL?
Upvotes: 2
Views: 65
Answers (1)
Richard
Reputation: 30618
This answer looks relevant, but if you're after a more generic solution then you could ask the database to quote it for you:
SELECT QUOTENAME(@myvalue, '''')
This should return you a value that is safe to use in concatenated SQL.
Upvotes: 1
Related Questions
- SQL Server: Handle of string concatenation
- How to properly escape strings inside an T-SQL query which itself a string
- How do I efficiently escape special characters in T-SQL?
- double quotes at end of concatenated TSQL string
- How to tell T-SQL query not to escape the given string/query result
- String Concatenation in T-SQL
- What special characters I should escape in T-SQL strings?
- T-SQL - string concatenation
- t-sql string concatenation
- Correct String Escaping for T-SQL string literals