Jump to content


This topic is now archived and is closed to further replies.


Escaping characters for an insert statement

Recommended Posts

Hello, having some trouble with this one. Checked the php.net topics for anything, nothing can be found. tried using "addslashes()" but that doesn't seem to work either!

So can anyone give me any quick pointers on what characters need to be escaped, and if they know of any functions that do this (integrated in php) or whether i'll have to use a different function and tailor it or not.

Especially relevent to:

Preventing sql injection attacks on mssql database (dunno how, but guessing ensuring they can't insert sql statements into queries that are just supposed to insert data instead!).
Allowing users names like O'Donnel etc
Allowing users to put ! ? " - ' ; : etc inside comments sections that will be logged into a database table.

Unfort having massive trouble finding any information with regards to mssql, and plenty on mysql that just doesn't work (tried addslashes and nothing was entered when putting ' into a string of text!).

Many thanks if anyone can help out.

Share this post

Link to post
Share on other sites
To input names Like O'Donnel you need to change it to O''Donnel (2 single quotes) to insert it into the table, unlike MySql which requires \'.

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.