select address from station where name like '%La'Plata%';
If does not work. I want to query rows whose name include La'Plata. But I guess since it includes a special character ('), it doesn't work. How should this be fixed ?
The quick and dirty answer is to escape the single quote with a second single quote:
However, it's far better to use parameterized queries if you're going to be accepting input from users to avoid SQL Injection attacks (and just good practice in any case):
This allows you to avoid worrying about escaping special characters while minimizing security risks like this one
There will always be people who are ahead of the curve, and people who are behind the curve. But knowledge moves the curve. --Bill James
Originally posted by Stevi Deter: The quick and dirty answer is to escape the single quote with a second single quote:
However, it's far better to use parameterized queries if you're going to be accepting input from users to avoid SQL Injection attacks (and just good practice in any case):
This allows you to avoid worrying about escaping special characters while minimizing security risks like this one
Thanks Stevi. I like the 2nd approach. but for the 1st approach, what if my search term includes a special char like %, should I still use ' as the escape ?
For the wildcard characters '_' and '%' in a Like statement, I think you need to use the escape syntax, which lets you define the escape character sequence:
This example should match any string that has a literal % character.
There will always be people who are ahead of the curve, and people who are behind the curve. But knowledge moves the curve. --Bill James
Fire me boy! Cool, soothing, shameless self promotion:
Gift giving made easy with the permaculture playing cards