tsql - Escape a string in SQL Server so that it is safe to use in LIKE expression

Question

How do I escape a string in SQL Server's stored procedure so that it is safe to use in LIKE expression.

Suppose I have an NVARCHAR variable like so:

declare @myString NVARCHAR(100);

And I want to use it in a LIKE expression:

... WHERE ... LIKE '%' + @myString + '%';

How do I escape the string (more specifically, characters that are meaningful to LIKE pattern matching, e.g. % or ?) in T-SQL, so that it is safe to use in this manner?

For example, given:

@myString = 'aa%bb'

I want:

WHERE ... LIKE '%' + @somehowEscapedMyString + '%'

to match 'aa%bb', 'caa%bbc' but not 'aaxbb' or 'caaxbb'.

Answer 1

To escape special characters in a LIKE expression you prefix them with an escape character. You get to choose which escape char to use with the ESCAPE keyword. (MSDN Ref)

For example this escapes the % symbol, using as the escape char:

select * from table where myfield like '%15\% off%' ESCAPE ''

If you don't know what characters will be in your string, and you don't want to treat them as wildcards, you can prefix all wildcard characters with an escape char, eg:

set @myString = replace( 
                replace( 
                replace( 
                replace( @myString
                ,    '', '\' )
                ,    '%', '\%' )
                ,    '_', '\_' )
                ,    '[', '[' )

(Note that you have to escape your escape char too, and make sure that's the inner replace so you don't escape the ones added from the other replace statements). Then you can use something like this:

select * from table where myfield like '%' + @myString + '%' ESCAPE ''

Also remember to allocate more space for your @myString variable as it will become longer with the string replacement.