I've googled for this but can't seem to find an answer that looks
reliable & is not product-specific.

What is an adequate method of escaping table/field names and values in
SQL that would work on any major database type? e.g. if I am getting a
field name and value from an untrusted source (e.g. an http query from
another computer), and I want to use it as part of an SQL query, how
should I modify the string so it works properly?

e.g. in C if I do _snprintf(buf, bufsz, "select * from %s T where T.`
%s` = '%s';", table_name, table_name, field_name, field_value), this
will have problems if field_name contains a back-quote or field_value
contains a single-quote. (and are these the only characters that are
problematic?) I can lookup the answer for MySQL which I am using right
now, but if I want to make my software work w/ other databases I'm not
sure what the right general answer is.

On Apr 27, 12:13 pm, Jason S <jmsa... (AT) gmail (DOT) com> wrote:
typo: that should have been
_snprintf(buf, bufsz, "select * from %s T where T.`> %s` = '%s';",
table_name, field_name, field_value);

On Apr 27, 12:13 pm, Jason S <jmsa... (AT) gmail (DOT) com> wrote:
I do not think there is a general answer, but i think there is a more
generic version by using the AS so
"select * from %s AS T where T.%s = '%s';", table_name, field_name,
field_value

and I don't think you want to single quote the column name do you?

HTH,
Ed

On Apr 27, 2:51 pm, Ed Prochak <edproc... (AT) gmail (DOT) com> wrote:
thanks. Mysql uses backquotes for column name, what do other db's use?

Jason S wrote:
ANSI SQL uses double quotes (") for entity names. MySQL will accept
double quotes if you choose ANSI mode.

--
Lee Fesperman, FFE Software, Inc. (http://www.firstsql.com)
================================================== ============
* The Ultimate DBMS is here!
* FirstSQL/J Object/Relational DBMS (http://www.firstsql.com)