Jump to content

Prevent MS SQL Injection


Recommended Posts

Remember how the escape character for MySQL is \?


(EG:  SELECT * FROM users WHERE username = 'Corbin\'s Name';)


In MSSQL, the escape character is another single quote.


(EG:  SELECT * FROM users WHERE username = 'Corbin''s Name';)



So, it's quite simple to make your own function.


function mssql_escape($str) {
    return str_replace("'", "''", $str);

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.