From: genew@ocis.net   
      
   On Wed, 22 Aug 2012 21:14:55 +0200, Erland Sommarskog   
    wrote:   
      
   >Gene Wirchenko (genew@ocis.net) writes:   
   >>      My question was really whether there are any other escape   
   >> characters?  Are there?   
   >   
   >No.   
      
        That is good to know.  It has been hard to find such an answer   
   since my question is about a negative.  Thank you very much.   
      
   >>      No.  I will be passing parameters, but I need to be sure that   
   >> they are properly delimited and escaped.  For example, if I do not   
   >> escape quotes, it may allow trouble.   
   >   
   >As long as you don't build SQL strings from input data, there is no trouble.   
      
        I will be building only statements that execute stored   
   procedures.  e.g.   
              execute ExampleProc 'abc',1,2,3   
   or   
              execute ExampleProc theString='abc',foo=1,bar=2,baz=3   
   Does that count?   
      
        I will not be building any other type of statement.  No selects,   
   no inserts, no updates, etc.   
      
   >No need to delimit, no need to escape. Again from a strict SQL perspective.   
   >There may be business rules requiring you to deal with certain characters.   
   >But given that the apostrophe is an essential character in English   
   >ortography, I don't think that the single quote is one these characters.   
      
        Eh?  Would that not be exactly why I need to concern myself with   
   it?   
      
        I had an computing instructor with the family name "O'Neil".  He   
   had words about companies that messed up orders as a result of his   
   name.  It was quite appropriate in an algorithms and data structures   
   course.  Sadly, I have seen many HTML books that show how to build   
   forms really easily and totally skip this gotcha.   
      
   Sincerely,   
      
   Gene Wirchenko   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)