Handling Special Characters in SQL Statements

The conn:quote() function is designed to safely escape special characters in user input when you're manually constructing SQL statements.

It accepts a single string argument, and returns an escaped string surrounded by single quotes according to the database API used. It ensures that special characters such as quotes and backslashes are properly escaped to prevent syntax errors.

local lastname = "O'Reilly" local query = 'SELECT * FROM Patients WHERE LastName = '..conn:quote(lastname) local result = conn:query{sql=query}

In this example, conn:quote{} ensures that the single quote in O'Reilly is safely escaped, making the query valid for the specific database.

 

Related pages