ansaurus

Question

Correct String Escaping for T-SQL string literals

Answer 1

+3 A:

SQL Server won't recognise the \r\n sequence, whether it's escaped or not.

You'll need to do something like this instead if you want to match the \r\n in BookTitle:

-- \r = CHAR(13)
-- \n = CHAR(10)
SELECT *
FROM Books
WHERE BookTitle IN ('Mars and Venus', 'Stack''s Overflow ' + CHAR(13) + CHAR(10))

LukeH 2009-08-12 15:23:43

Yes I get that, but I need to do this in C# dynamically for each type, like I would need an escape sequence that I can use string.replace for all such values and prepare final query.

Akash Kava 2009-08-12 15:25:40

In that case, don't use string escaping. Use a parameterised query instead.

LukeH 2009-08-12 15:27:13

Answer 2

+1 A:

There are more things that have to be escaped than just quotes or new line characters. What if there's a binary input (by hacker)? Better use PreparedStatement (in java) or any other equivalent in the target language. Java sample:

PreparedStatement ps = con.prepareStatement("SELECT * FROM Books WHERE BookTitle IN (?, ?)");
ps.setString(1, "Mars and Venus");
ps.setString(2, "Stack's Overflow
and 
");

ResultSet rs = ps.executeQuery();
....

Daniil 2009-08-12 15:24:21

Although this is not complete answer, but yes I tried similar thing in c# with little workaround and its acceptable for now.

Akash Kava 2009-08-12 19:42:38

Answer 3

+5 A:

Joel Coehoorn 2009-08-12 15:25:29

I cant do parameterized query because it requires IN operation, and since server to client communication is over internet, I dont want to requery server for all values in one statement per value. That takes too much time and resources.

Akash Kava 2009-08-12 15:29:42

Insert the values individually into a separate table with a session key, and then use that for your IN.

Joel Coehoorn 2009-08-12 15:33:28

Or pass the values as a delimited list in a parameter, and parse them into a temp table in the stored procedure, using that as part of the WHERE clause, as I indicated in my answer.

Cyberherbalist 2009-08-12 17:46:06

I'm not a fan of the delimited list approach: you're still having to operating on data yourself.

Joel Coehoorn 2009-08-12 18:23:50

Answer 4

A:

You could use table value parameters to pass in the the values for your IN statement. If you are not using a new enough version of visual studio and/or sql server to have access to table value parameters, you can instead pass in one comma separated list as string parameter, and then parse the the parameter into a table. There are several methods to split strings into a temp table/table variable. You can google "split function in sql server" for several options.

Bryant Bowman 2009-08-12 15:39:26

Answer 5

A:

Usually what I'd do for situations like this, is pass your information in as a parameter, but in XML, so you can do something like this:

DECLARE @iDoc INT
EXEC sp_xml_preparedocument @iDoc OUTPUT, @MyXml

SELECT
    *
FROM
    MyTable
WHERE
    MyColumn IN (SELECT [Id] FROM OPENXML(@iDoc,'/ss/s',2) WITH ([Id] INT '.'))

EXEC sp_xml_removedocument @iDoc

in this case, the xml would look like '<ss><s>1</s><s>2</s>...etc...</ss>'

John 2009-08-12 15:45:54

A CRLF wouldn't survive the xml-processing, would it? Since it's treated as whitespace you'd have to escape it somehow. How do you escape a CRLF in Xml anyway? I guess with CDATA, but how would that play out in the query?

Cyberherbalist 2009-08-12 17:49:45

I don't believe whitespace in general needs to be escaped in XML; it's just what it is

John 2009-08-12 19:55:48

Answer 6

+1 A:

I've run into a similar problem, where I needed to have a IN in my select query, and the number of elements varied at run time.

I use a parameterized query in the form of a stored procedure and pass in a delimited string containing the list of things I'm looking for. The escaping is automatically handled by the system, no need to take extraordinary steps. Better not make it delimited by characters that will be found in the text you're searching (like commas). a vertical bar ("|") would probably work best in many cases.

By the way, make sure the CRLFs in your table are CHAR(13)+CHAR(10) because the opposite way around isn't \r\n and you wouldn't find it if Environment.NewLine was part of your search.

Here's a stored procedure using a quick and dirty parse resolving to a table that I have used:

CREATE PROCEDURE FindBooks
(
    @list varchar(500)
)
AS

CREATE TABLE #parse_table (item varchar(500))

DECLARE @temp                    VARCHAR(500)
DECLARE @result                  VARCHAR(500)
DECLARE @str                     VARCHAR(500)
DECLARE @pos                     SMALLINT

SET @temp = RTRIM(LTRIM(@list))
SET @pos = 1

WHILE @pos > 0
    BEGIN
    SET @pos = CHARINDEX('|',@temp)
    IF @pos > 0 
       BEGIN
         SET @result = SUBSTRING(@temp,1,@pos - 1)
         SET @temp = RTRIM(LTRIM(SUBSTRING(@temp,@pos+1,LEN(@temp) - @pos)))

         INSERT INTO #parse_table
     SELECT @result
       END
    ELSE
       INSERT INTO #parse_table
       SELECT @temp
END

SELECT * FROM Books WHERE Title in (select * from #parse_table)

Simply create your list of book titles as a simple string (containing whatever embedded apostrophes, CRLFs, and so on) and use a parameterized query. Of course, your stored proc can contain other things besides the delimited list.

Cyberherbalist 2009-08-12 17:43:10

ansaurus

tags:

views:

answers:

Correct String Escaping for T-SQL string literals

related questions