what characters should be escaped in sql string parameters

Question

I need a complete list of characters that should be escaped in sql string parameters to prevent exceptions. I assume that I need to replace all the offending characters with the escaped version before I pass it to my ObjectDataSource filter parameter.

Answer 1

No, the ObjectDataSource will handle all the escaping for you. Any parametrized query will also require no escaping.

Answer 2

As others have pointed out, in 99% of the cases where someone thinks they need to ask this question, they are doing it wrong. Parameterization is the way to go. If you really need to escape yourself, try to find out if your DB access library offers a function for this (for example, MySQL has mysql_real_escape_string ).

Answer 3

Here's a way I used to get rid of apostrophes. You could do the same thing with other offending characters that you run into. (example in VB.Net)

Dim companyFilter = Trim(Me.ddCompany.SelectedValue)

If (Me.ddCompany.SelectedIndex > 0) Then
      filterString += String.Format("LegalName like '{0}'", companyFilter.Replace("'", "''"))
End If

Me.objectDataSource.FilterExpression = filterString

Me.displayGrid.DataBind()

Answer 4

SQL Books online: Search for String Literals:

String Literals

A string literal consists of zero or more characters surrounded by quotation marks. If a string contains quotation marks, these must be escaped in order for the expression to parse. Any two-byte character except \\x0000 is permitted in a string, because the \\x0000 character is the null terminator of a string.

Strings can include other characters that require an escape sequence. The following table lists escape sequences for string literals.

\\a Alert

\\b Backspace

\\f Form feed

\\n New line

\\r Carriage return

\\t Horizontal tab

\\v Vertical tab

\\" Quotation mark

\\ Backslash

\\xhhhh Unicode character in hexadecimal notation