SQL_EscapeString Function

Escapes a database string for literal insertion. This is not needed for binding strings in prepared statements.

Generally, database strings are inserted into queries enclosed in single quotes ('). If user input has a single quote in it, the quote needs to be escaped. This function ensures that any unsafe characters are safely escaped according to the database engine and the database's character set.

NOTE: SourceMod only guarantees properly escaped strings when the query encloses the string in single quotes. While drivers tend to allow double quotes (") instead, the string may be not be escaped (for example, on SQLite)!

bool SQL_EscapeString(Handle database, const char[] string, char[] buffer, int maxlength, int& written)


Handle database

A database Handle.

const char[] string

String to quote.

char[] buffer

Buffer to store quoted string in.

int maxlength

Maximum length of the buffer.

int& written

Optionally returns the number of bytes written.

Return Value

True on success, false if buffer is not big enough. The buffer must be at least 2*strlen(string)+1.


Invalid database or statement Handle.