[mythtv] escaping strings in sql queries
Chris Petersen
lists at forevermore.net
Tue Dec 23 11:19:16 EST 2003
> Am Montag, 22. Dezember 2003 10:56 schrieb Philippe C.Cattin:
> > what I found out so far is, that the single quot ', the % and _ need to
> > be escaped (the double quot " seems to work fine without escaping).
No. You need only to escape the character you use to quote. Thus,
enclose your query in "" and you must escape the " character. use ' and
you must escape '. Though generally, you should escape both " and ' for
safety.
Anyway, the reasons for escaping % and _ are so that those characters
will match literally in a LIKE comparison. However, since it's a good
idea to escape EVERY SINGLE variable going into an sql query, including
those that are used with LIKE, it's not always a good idea to just
escape all of these, but either create a separate escape routine (or an
option to your single routine) or let the coder do it for those times
that they need % and _ to be escaped.
-Chris
More information about the mythtv-dev
mailing list