Entering an apostrophe leads to a SQL Execution error on SQL Server.

[chstorb]

QueryBuilder replaces an apostrophe in a string with a backslash(es) followed by an apostrophe.

This leads to a SQL execution error in a SQL Server query.

Instead, SQL Server requires a double apostrophe.

Steps to Reproduce:

1. Open the demo page https://querybuilder.js.org/demo.html and go to the last section "Import/Export".
2. Add a "contains" rule for a field "name" and enter the value "D'Artagnan".
3. Click the button "SQL".
4. Copy the resulting SQL condition name LIKE ('% D \\' Artagnan% ') and use the condition in a sql statement like this:

SELECT * FROM [Musketeers] WHERE [name] LIKE ('% D \\' Artagnan% ')

5. Running this query on SQL Server results in the following error:

Execution failed due to an unexpected error:
SQL Execution error: A fatal error occurred.
Incorrect syntax was encountered while [Statement] LIKE ('% D \' Artagnan% ') was being parsed.

[mistic100]

How is it supposed to be escaped ?

Anyway it is always heavily advised to use prepared statements when using user inputs

[mistic100]

for reference this is is the escaping function https://github.com/mistic100/jQuery-QueryBuilder/blob/dev/src/utils.js#L150-L170

[chstorb]

In SQL Server single quotes are escaped by doubling them up (see https://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sql-server).

The Utils.escapeString method doesn't work for SQL Server.

[mistic100]

Okay, I guess it's the same thing for every dialect actually.

[chstorb]

Exactly.