Escapes a database string for literal insertion. This is not needed for binding strings in prepared statements.
Generally, database strings are inserted into queries enclosed in single quotes ('). If user input has a single quote in it, the quote needs to be escaped. This function ensures that any unsafe characters are safely escaped according to the database engine and the database's character set.
NOTE: SourceMod only guarantees properly escaped strings when the query encloses the string in ''. While drivers tend to allow " instead, the string may be not be escaped (for example, on SQLite)!
bool SQL_EscapeString(Handle database, const char string, char buffer, int maxlength, int &written)
A database Handle.
String to quote.
Buffer to store quoted string in.
Maximum length of the buffer.
Optionally returns the number of bytes written.
True on success, false if buffer is not big enough. The buffer must be at least 2*strlen(string)+1.
Invalid database or statement Handle.