The EncodeSql function is a built-in function that returns a string with special characters translated in order to be used in SQL literals.

Input parameters

t: Text Type

Output parameters

Text Type




EncodeSql( "another' test" )

another'' test


Using expand inline parameters without encoding distrusted variables (e.g. user input) compromises the database security by allowing SQL injection.

You should use this function when managing in-line parameters in your SQL query. For example, suppose your query has an in-line parameter called Param that contains the condition that you want to evaluate at run-time; and CustomerName is a variable that gathers the end-user input. You should escape this information as follows:

Param = "where Name like ' " + EncodeSql(CustomerName) + " ' "

See Also

Available Text Functions | Available Built-in Functions