ryy705 Posted September 7, 2009 Share Posted September 7, 2009 Hello, What is the proper way to escape user input before using it as a part of a query? I've always used mysql real escape with mysql. But don't see anything like that for mssql. The following is what plan on using. Is it sufficient? $input = str_replace("'", "''", $input); mssql_query (sprintf ("UPDATE Login SET user = '%s'", $input)); Any input would be helpful. Quote Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/ Share on other sites More sharing options...
Adam Posted September 14, 2009 Share Posted September 14, 2009 This is a pretty tight filtering method, superior to mysql_real_escape_string() ... addcslashes($str, "\x00\n\r\'\x1a\x3c\x3e\x25"); Quote Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-918293 Share on other sites More sharing options...
corbin Posted September 14, 2009 Share Posted September 14, 2009 This is a pretty tight filtering method, superior to mysql_real_escape_string() ... addcslashes($str, "\x00\n\r\'\x1a\x3c\x3e\x25"); MSSQL does not use \ as the escape character. It uses '. Quote Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-918555 Share on other sites More sharing options...
darkgr33n Posted October 3, 2009 Share Posted October 3, 2009 The following is what plan on using. Is it sufficient? $input = str_replace("'", "''", $input); mssql_query (sprintf ("UPDATE Login SET user = '%s'", $input)); Any input would be helpful. That's what I've done and it seems to work . I did a fair amount of research, and read a couple of times that this was the preferred method. Quote Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-929719 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.