[rhelgeby]

Nice. This doesn't even have to be used with SQL. It could also be a general purpose function. Perhaps expand it to allow the user to choose which escape character to use.

[API]

It's a cool idea but obviously the driver is preferred. Also, as a suggestion: Don't check if characters are already escaped, just escape them anyway. It's pretty common to have other escaped information in the string so you don't want to make any assumptions about what is fair game for escaping what what isn't. For example:

x = 'test\'ing';

That string should become

x = 'test\\\'ing';

[Powerlord]

Quote:

Originally Posted by asherkin It's idiotic to use this, if you need to insert text into a database, you're going to have a connection. The driver-level functions are designed to escape exactly what's required.

And just as importantly, since you didn't mention it: The standard SQL way of escaping is to replace ' with ''.

MySQL is more involved than that but it still supports using '' to escape '. I can't honestly say whether SQLite supports that.

[dordnung]

I updated the snippet, so you can generally escape a string from a char with a given escaper. And also the snippet is a lot of smaller.

[rhelgeby]

Code is clean and well formatted. However there are two improvements:

• Move call to strlen() outside the loop to make the snippet as efficient as possible. Even calls to Format to concatenate strings are unnecessary if you work with strings as arrays. But that isn't a big deal.
• When you call EscapeString multiple times in the SQL escaping functions, use the output from the last one as the input in the next one. Otherwise the last result will be overwritten.