Escape Character in SQL Server

To escape ' you simly need to put another before: ''

As the second answer shows it’s possible to escape single quote like this:

select 'it''s escaped'

result will be

it's escaped

If you’re concatenating SQL into a VARCHAR to execute (i.e. dynamic SQL), then I’d recommend parameterising the SQL. This has the benefit of helping guard against SQL injection plus means you don’t have to worry about escaping quotes like this (which you do by doubling up the quotes).

e.g. instead of doing

DECLARE @SQL NVARCHAR(1000)
SET @SQL = 'SELECT * FROM MyTable WHERE Field1 = ''AAA'''
EXECUTE(@SQL)

try this:

DECLARE @SQL NVARCHAR(1000)
SET @SQL = 'SELECT * FROM MyTable WHERE Field1 = @Field1'
EXECUTE sp_executesql @SQL, N'@Field1 VARCHAR(10)', 'AAA'

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. Illegal Escape Character “\”
  3. What characters must be escaped in HTML 5?
  4. How can I selectively escape percent (%) in Python strings?
  5. How do I escape a single quote in jQuery?
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. How to correctly escape query variables to be used in WP_Query
  10. esc_attr / esc_html / esc_url in echos
  11. When do I need to use esc_html()? [duplicate]
  12. what’s different between esc_attr, htmlspecialchars and htmlentities
  13. Allow all attributes in $allowedposttags tags
  14. When outputting a static string to the page, is it necessary to escape the output?
  15. How Flexible are the WordPress Coding Standards for PHPCS?
  16. why is esc_html() returning nothing given a string containing a high-bit character?
  17. How to properly escape a translated string?
  18. Translate a Constant while appeasing WordPress PHPCS
  19. Using esc_url() on a url more than once
  20. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  21. How to allow &nbsp with wp_kses()?
  22. Using esc_attr_e
  23. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  24. Escaping crashes my output
  25. How to safely escape the title attribute
  26. How to safely escape data that contains HTML attributes
  27. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  28. Echoing a URL to a link
  29. wp_kses_post escaping doesn’t appear to work as described?
  30. file_get_contents | escaping doesnt show the page
  31. Help about Escaping
  32. How to keep specific tag from an html string?
  33. Escaping Issues
  34. Escaping and Special Characters (e.g. &)
  35. Escaping get_option( ‘time_format’ ) is nesserary?
  36. How should esc_url be combined with trailingslashit?
  37. Correct way of using esc_attr() and esc_html()
  38. What is a stored procedure?
  39. outputting ascii table in C++
  40. SQL Server: Difference between PARTITION BY and GROUP BY
  41. Conversion failed when converting date and/or time from character string while inserting datetime
  42. error, string or binary data would be truncated when trying to insert
  43. The SQL OVER() clause – when and why is it useful?
  44. What is the difference between char s[] and char *s?
  45. SQL Server Management Studio, how to get execution time down to milliseconds
  46. How do I escape a single quote in SQL Server?
  47. How Stuff and ‘For Xml Path’ work in SQL Server?
  48. Understanding the difference between null and ‘\u000’ in Java
  49. How can I convert const char* to string and then back to char*?
  50. The multi-part identifier could not be bound
  51. How to join two tables by multiple columns in SQL?
  52. Sql Server string to date conversion
  53. Find all tables containing column with specified name – MS SQL Server
  54. Conversion of a varchar data type to a datetime data type resulted in an out-of-range value in SQL query
  55. How can I import an Excel file into SQL Server?
  56. The ALTER TABLE statement conflicted with the FOREIGN KEY constraint
  57. SQL – The conversion of a varchar data type to a datetime data type resulted in an out-of-range value
  58. SQL Server IF NOT EXISTS Usage?
  59. How to join two tables by multiple columns in SQL?
  60. Comparing chars in Java
  61. What represents a double in sql server?
  62. How do I fix ‘Invalid character value for cast specification’ on a date column in flat file?
  63. SELECT DISTINCT on one column
  64. What does it mean to escape a string?
  65. Comparing the values of char arrays in C++
  66. vs shell installation has failed with exit code 1638
  67. Convert char array to single int?
  68. TSQL PIVOT MULTIPLE COLUMNS
  69. Microsoft OLE DB Provider for SQL Server error ‘80004005’
  70. Why do table names in SQL Server start with “dbo”?
  71. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  72. Equivalent of Oracle’s RowID in SQL Server
  73. Subtract one day from datetime
  74. How to get the ASCII value in JavaScript for the characters [duplicate]
  75. XOR in SQL Server
  76. Backup a single table with its data from a database in sql server 2008
  77. Conditional JOIN Statement SQL Server
  78. Temporary table in SQL server causing ‘ There is already an object named’ error
  79. What datatype should be used for storing phone numbers in SQL Server 2005?
  80. SQL WHERE.. IN clause multiple columns
  81. Filter data based on date in sql
  82. Difference between esc_url() and esc_url_raw()
  83. Escaping WP_Query tax_query when term has special character(s)
  84. Do I need to escape data passed to wp_localize_script()?
  85. Prevent add_shortcode from escaping a tag
  86. Sanitizing comments or escaping comment_text()
  87. Prevent escaping javascript in visual editor
  88. Is it safe and good practice to use do_shortcode to escape?
  89. Unexpected esc_html and esc_attr behaviour
  90. should I escape a literal url added in functions.php
  91. How to allow single quote with esc_html__() without sprintf()
  92. Wrapping add_query_arg with esc_url not working
  93. wordpress post not showing my “” text>?
  94. How to make MySQL search queries with quotes
  95. Escaping WP_Query tax_query when term has special character(s)
  96. Escape html structure in php
  97. Allow iframe in custom meta box
  98. Escaping data from database (users table) is necessary?
  99. how to escape alert/window.location.replace with variable
  100. Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)

Leave a Comment