Find solution
How to search double quotes in fulltext search in sql?

How to search double quotes in fulltext search in sql

  • I have double quotes in my Keyword. How can I search this in my fulltext search query. I have this query SELECT top 10 K.[KEY], 10, K.[RANK] FROM CONTAINSTABLE(ProductKeywords, Keywords, '("19*") AND ( "<Cat>5" OR "<Cat>30" OR "<Cat>398" ) AND NOT "<Blocked>"' ) AS k It works fine but when i have double quotes in my keyword like SELECT top 10 K.[KEY], 10, K.[RANK] FROM CONTAINSTABLE(ProductKeywords, Keywords, '("19"*") AND ( "<Cat>5" OR "<Cat>30" OR "<Cat>398" ) AND NOT "<Blocked>"' ) AS k it gives this error Msg 7630, Level 15, State 3, Line 1 Syntax error near '*' in the full-text search condition '("19"*") AND ( "<Cat>5" OR "<Cat>30" OR "<Cat>398" ) AND NOT "<Blocked>"'.

  • Answer:

    Since the content of 'Keywords' is interpreted by the RDBMS instead of being read literally, your code is vulnerable to SQL Injection . This is also why you get the syntax errors. You must sanitize the content of 'Keywords'. There's an answer on Stack Overflow : http://stackoverflow.com/questions/4102387/how-to-cleanse-dynamic-sql-in-sql-server-prevent-sql-injection.

Ahmad Abbasi at Database Administrators Visit the source

Was this solution helpful to you?

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.