STRING::ESCAPE_SQL 1g 2023-11-12 laplante@plcb.ca GOWEB/STRING — Escape Strings for SQL

title: “STRING::ESCAPE_SQL” version: “1.0.0” date: 2023-11-12 author: “laplante@plcb.ca” section: “1g” category: “GOWEB/STRING”

Name

string:: Escape Strings for SQL

Synopsis

string::escape_sql(string)
escape_sql(string)
string::escapeSql(string)
escapeSql(string)

Description

The escape_sql function escapes a string so that it can be safely placed inside an SQL statement. It prevents SQL syntax errors and mitigates injection risks by inserting a backslash (\) before certain special characters.

Characters escaped:

• \\ — Backslash
• \0 — Null byte
• \n — Newline
• \r — Carriage return
• ' — Single quote
• " — Double quote
• \032 — ASCII substitute character

Parameters

• string (string, required) The string to escape for safe use in SQL.

Examples

res={{
    escape_sql(dqq[['"? \n\r]]); "\n";
    escape_sql(dqq[[abcdef]]); "\n";
    escape_sql(dqq[[1'2]]); "\n";
    escape_sql(dqq[[1\\2]]); "\n";
    escape_sql(dqq[[abc search def]]); "\n";
    escape_sql_table(error:err, "a b "); err; "\n";
    escape_sql_table(error:err, "test"); err; "\n";
    sql(error: sqlerr, "select * from " + escape_sql_table(error:err, "a v")); sqlerr; "\n";
}};

Returns:

res = \'\"? \
\
abcdef
1\'2
1\\2
abc search def
string::escape_sql_table : this parameter 2 can't be use : string: "a b " invalid table name : a b
test
db::sql : error running sql 'select * from ': Error 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1

Author

• laplante@plcb.ca

See Also

• String Functions
• Index

Version History

• 1.0.0 — 2024-05-02 — Initial version (laplante@plcb.ca)