Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
barnabeck
Posting Yak Master
236 Posts |
 Posted - 2012-05-09 : 06:51:56
|
| I wrote a function that converts our queries after databases had changed their names and structure; the query is passed as a String parameter of type varchar(max), but for some reason the function only works if the string does not contain any quote character. So I first replace them in a text editor with any Placeholder which is rather inconvenient.I managed to include the back conversions (I do the same thing on carriage returns) in the function itselfSET @QueryOut=REPLACE(@QueryOut,'&return;', CHAR(10))SET @QueryOut=REPLACE(@QueryOut,'"e;', CHAR(39))My question is: If I can do the back replacement, and @QueryOut containing quotes can be perfectly displayed, why is it impossible to assign:set @QueryIn='select * from dbo.test where var='test''How can I achieve this? |
|
|
vijays3
Constraint Violating Yak Guru
354 Posts |
Posted - 2012-05-09 : 07:03:36
|
| [code]You need to place string value in Double quotes.''test''set @QueryIn='select * from dbo.test where var=''test'''[/code] |
 |
|
|
barnabeck
Posting Yak Master
236 Posts |
Posted - 2012-05-09 : 07:12:55
|
| Ok. But this requires a manual replacement, which I am trying to avoid... The string parameter should be passed whithout any prior manipulation, any further replacement necessary should be done within the function... which is probably not possible!Thank you anyway! |
|
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
Posted - 2012-05-10 : 08:52:42
|
| You should use a parameter and pass value to it. Your method will lead to SQL InjectionMadhivananFailing to plan is Planning to fail |
|
|
|
|
|
|
Quotes in String Parameter