Special characters in SQL

We all know that the single quotation mark (') is a special character during SQL Server query, so it must be converted into double single quotation mark ('') during query.
However, this is only a special character. In actual projects, we found that the like operation has the following special characters: underscore "_", percent "% ", square brackets "[]" And tip "^ ".
Its usage is as follows:
Underline: Used to replace any character (equivalent? )
Percent: Used to replace any number of characters (equivalent to * in a regular expression *)
Square brackets: used for escape (in fact, only the left square brackets are used for escape, and the right square brackets use the recent priority principle to match the nearest left square brackets)
Tip: used to exclude some characters for matching (this is the same as in regular expressions)

Here are some examples of matching. It should be noted that only the like operation has these special characters, and the = operation does not exist.
A_ B... A [_] B %
A % B... A [%] B %
A [B... A [[] B %
A] B... A] B %
A [] B... A [[] B %
A [^] B... A [[] [^] B %
A [^] B... A [[] [^] [^] B %

During actual processing, we generally only need to replace the = operation as follows:
'->''
For the like operation, you need to replace the following (note that the order is also important)
[-> [[] (This must be the first replacement !!)
%-> [%] (Here % refers to the % of the characters to be matched, rather than the wildcard specifically used for matching)
_-> [_]
^-> [^]

Some special characters in SQL statements are reserved by SQL statements. For example. We can first look at their usage.

When you need to query a certain data, add a condition statement, or when you need an insert record, we use 'to cause data of the character type. For example:
Select * from MERs where city = 'London'

When the table name or column name contains spaces and other special characters, We need to [] The table name to tell the syntax analyzer, [] is a complete name. For example

Select * from [Order Details]

What should I do if the character data contains? In fact, many people do not process the character "symbol" here, which may cause SQL Injection risks. The example above. In the era of SQL statement concatenation, such

String SQL = "select * from MERs where customerid = '" + temp + "'";

If I assign the Temp value to Tom 'or 1 = 1 ---
Then the statement you splice is select * from MERs where customerid = 'Tom 'or 1 = 1 ---'
Haha, 1 = 1 is true, --- comment out the following SQL statement. The preceding statement is valid because of input. The or condition Selects all records. This is SQL injection. If the problem is not handled during user login, your system may be vulnerable.
How does one process the 'symbol in character data? The method is very simple. replace one with two 'symbols. For example, if the actual input value is Lon 'Don
Select * from MERs where city = 'lon ''don'
You can.

What if the table or column name contains [or] characters? For example, if select * from [order] Details], the intermediate] symbol is not matched with the first. It is invalid. What should we do? Simple, use] instead of]. For [, you do not need to handle it. Then it should be
Select * from [order] Details].