Escape characters

S

Sathyaish

What should one pass as a field value into a table in the insert
statement if the value contained a percentage symbol (%) or the
asterisk symbol (*), since both of these have special wildcard
meanings. What if I want to pass the special meanings and pass them as
literals? Is there any escape character that I must use? I am using
ADO.NET v1.1 of the framework with VB.NET. The database is Microsoft
SQL Server 2000.
 
G

Guest

Hi Sathyaish,

AFAIK, when using INSERT INTO command, you don't need to worry about (%) and
(*). Wildcard characters are used to search specified columns after LIKE
operator.

HTH

Elton Wang
 
S

S. Justin Gengo

Sathyaish,

Elton is right, but I'd like to mention one of the great things about the
..NET framework. As long as you use the built in parameter specification
process .NET takes care of escaping characters for you. In fact, if you
don't use the built in parameter process you are possibly leaving your
applications open to SQL injection attacks. I highly recommend using the
parameters.

For example:

SqlCommand.Parameters.Add("@Id", SqlDbType.Int).Value = MyId



--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

escaping special operators, ', etc. 8
escape single quote in MS SQL in .net framework 10
Reading database timed out 5
Escape or parameter for RowFilter to prevent expression injection security attack? 1
Symbol "font" doesn't act like other fonts 1
Why does C# require escape ar @ characters for strings ? 4
Strings and Escape Characters 7
Override SqlCommand placeholder process??? 5

Top