Skip to content

SQLEscapedStr - DataDictionary

Converts string to a string that is better suited and safer for SQL WHERE clauses

Type: Function
Return Data Type: String

Parameters

Parameter Type Description
sSQL String The original, unescaped string

Syntax

Function SQLEscapedStr String sSQL Returns String

Call Example

Get SQLEscapedStr sSQL to StringVariable

Description

SQLEscapedStr changes a string to an "escaped" string that is better suited for being used in SQL statements.

It replaces a single quote with two single quotes, which helps protect against SQL injection. This can be handy when creating SQL statements that are defined in psSQLFilter and is particularly useful if you, as the programmer, do not have full control over the content of this filter string. This might happen if the filter is created by the end user or stored in a database.

Procedure OnChange
    Handle hoDDO
    String sValue
    Get Server to hoDDO
    Get Value to sValue
    Get SQLEscapedStr of hoDDO sValue to sValue
    Set psSQLFilter of hoDDO to sValue
End_Procedure

Note that this can only be called once for a string.

You should not call SQLEscapedStr when setting SQLStrLike, because SQLStrLike already calls this function.

See Also

SQL Filters

Return Value

An escaped version of the string