Escape characters

[Sathyaish]

What should one pass as a field value into a table in the insert
statement if the value contained a percentage symbol (%) or the
asterisk symbol (*), since both of these have special wildcard
meanings. What if I want to pass the special meanings and pass them as
literals? Is there any escape character that I must use? I am using
ADO.NET v1.1 of the framework with VB.NET. The database is Microsoft
SQL Server 2000.

 

[Guest]

Hi Sathyaish,

AFAIK, when using INSERT INTO command, you don't need to worry about (%) and
(*). Wildcard characters are used to search specified columns after LIKE
operator.

HTH

Elton Wang

 

[S. Justin Gengo]

Sathyaish,

Elton is right, but I'd like to mention one of the great things about the
..NET framework. As long as you use the built in parameter specification
process .NET takes care of escaping characters for you. In fact, if you
don't use the built in parameter process you are possibly leaving your
applications open to SQL injection attacks. I highly recommend using the
parameters.

For example:

SqlCommand.Parameters.Add("@Id", SqlDbType.Int).Value = MyId



--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche