that's very well and good, but no amount of string parsing or formatting will protect you from sql injection. 

the only way to reliably protect yourself is to use paramaterized...

yes indeed.  have a look here to see what kind of mess you'll get into if you are vulnerable to sql injection:

http://www.rockyh.net/AssemblyHijacking/AssemblyHijacking.html

here's how to fix it:

http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx

http://msdn2.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters.aspx

using \ as an escape char would make sense if you are coming from the world of C/C++ etc. 

the world of sql is different.  In other dialects, such as...

Now you need to tell us what value you are trying to extract.  what XQuery have you tried so far?

think of this this way:  the escape char for ' in t-sql is '.  that means if you have a ' in a string, you need to precede it by...

actually you didn't post any of your xml.

all you've got above is part of an xml schema.  the actual data would come after that...

sure enough.  this pretty much sucks for automating your scripts I have to say.

this issue has been raised before here on ssc and not answered:

http://www.sqlservercentral.com/forums/shwmessage.aspx?forumid=145&messageid=343395

if I were you I...

maybe a query against MainTable that left joins against all the others?

this is a long thread so I may have missed it if someone already mentioned it, but this seems like it could be a parameter sniffing issue. 

See: http://blogs.msdn.com/khen1234/archive/2005/06/02/424228.aspx

Interesting thread.

in the end, I agree with Steve: all the good devs have jobs already. 

if you want to hire one, you have to hire one away from another company....

wow.

sending mail from a trigger seems like a REALLY bad idea...

since you dumped the entire document in a single column, you can study XQuery:

http://msdn2.microsoft.com/en-us/library/ms189075.aspx

alternatively, you could use xml bulk load to import the xml into relational tables.  then you could...

why do you care what order the columns are in the table?  any selects that target the table should reference the column names directly and not use select *.

if you...

this isn't really the place for such questions, but, check out the Regex class in .net:

http://msdn2.microsoft.com/en-us/library/system.text.regularexpressions.regex.aspx

this forum is for sql server questions.

good one, haven't seen that before.