Characters that must be escaped in Tsql

Question

I was looking for a list of special characters that must be escaped in ms sql server but could not find one and most of answers I saw for the similar questions advised to us

Answer 1

I just wanted to say that _ (underscore) also needs to be escaped.

select * from Products where SomeColumn like 'FD[_]%'

By the way, nothing wrong with parameterized queries, but sometimes you want to go to the SQL management console and quickly run a query to find something out.

Answer 2

Not sure this is accurate.

% and . and other wildcards depending on the query, may also need escaping. where you are looking for a dot. This will fail

select * from xxxx where field like '%.%'   

Answer 3

The only character that needs escaping in a string is a single quote (which is done with two single quotes together). Otherwise, it's a string and t-sql will fuss with it no further.

If you're using a LIKE statement, see this SO topic Escape a string in SQL Server so that it is safe to use in LIKE expression

As an aside, any framework that doesn't let me use parameters, that doesn't properly escape stuff for me, is a hard stop. Trying to sanitize string input manually is like relying on the pull out method; eventually it's gonna get you.