Handling quote marks in sql?
-
I currently strip out any quote marks from data input (and many other characters) when sending data to the database but would like the user to be able to enter quote marks if they wish. I use mostly stored procedures to update data but often compose sql on the fly for ad hoc searching. Can anyone tell me how I should be handling the characters which are used in T-SQL such as ' and % Thanks in advance - Dave
-
I currently strip out any quote marks from data input (and many other characters) when sending data to the database but would like the user to be able to enter quote marks if they wish. I use mostly stored procedures to update data but often compose sql on the fly for ad hoc searching. Can anyone tell me how I should be handling the characters which are used in T-SQL such as ' and % Thanks in advance - Dave
davebarkshire wrote: Can anyone tell me how I should be handling the characters which are used in T-SQL such as ' and % Use parameterised queries. davebarkshire wrote: compose sql on the fly for ad hoc searching It also sounds like you should read up on SQL Injection Attacks[^]
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums
-
davebarkshire wrote: Can anyone tell me how I should be handling the characters which are used in T-SQL such as ' and % Use parameterised queries. davebarkshire wrote: compose sql on the fly for ad hoc searching It also sounds like you should read up on SQL Injection Attacks[^]
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums
Nothing but porn on that link.
-
Nothing but porn on that link.
:wtf: What the.... Here is the link again: http://www.codeproject.com/useritems/SqlInjectionAttacks.asp[^]
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums