Working with Databases

Escaping values for SQL

Contents

If your code needs to generate straight SQL calls, you will need to be able to process data that contains double-quote ” and single-quote ‘ characters, which have special meanings in SQL.

We supply the conn:quote{} function to handle this requirement.

Note: The conn:quote{} function and the sqlescape module quote all returned strings, so you must not add quotes around strings in SQL query text.

How It Works

Simply call conn:quote{} to perform the specific database quoting required:

The conn:quote{} function quotes all returned strings, so you must not add quotes around strings in SQL query text.

Doing so will produce an error as shown:

Adding quotes without escaping worked (above) for “Smith”, but it fails (below) for “O’Toole” because the apostrophe is not escaped:

Sample Code

Copy the Escape a SQL query string code sample from our repository.

What’s Next?

We showed you how to escape strings that you use for SQL queries. We strongly recommend that you use the conn:quote{} function, rather than the legacy sqlescape module.

For more information on working with databases see the following pages:

Continue: Handling tables that use an auto-incremented ID column

Leave A Comment?

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.