ryy705 Posted September 7, 2009 Share Posted September 7, 2009 Hello, What is the proper way to escape user input before using it as a part of a query? I've always used mysql real escape with mysql. But don't see anything like that for mssql. The following is what plan on using. Is it sufficient? $input = str_replace("'", "''", $input); mssql_query (sprintf ("UPDATE Login SET user = '%s'", $input)); Any input would be helpful. Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/ Share on other sites More sharing options...
Adam Posted September 14, 2009 Share Posted September 14, 2009 This is a pretty tight filtering method, superior to mysql_real_escape_string() ... addcslashes($str, "\x00\n\r\'\x1a\x3c\x3e\x25"); Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-918293 Share on other sites More sharing options...
corbin Posted September 14, 2009 Share Posted September 14, 2009 This is a pretty tight filtering method, superior to mysql_real_escape_string() ... addcslashes($str, "\x00\n\r\'\x1a\x3c\x3e\x25"); MSSQL does not use \ as the escape character. It uses '. Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-918555 Share on other sites More sharing options...
darkgr33n Posted October 3, 2009 Share Posted October 3, 2009 The following is what plan on using. Is it sufficient? $input = str_replace("'", "''", $input); mssql_query (sprintf ("UPDATE Login SET user = '%s'", $input)); Any input would be helpful. That's what I've done and it seems to work . I did a fair amount of research, and read a couple of times that this was the preferred method. Link to comment https://forums.phpfreaks.com/topic/173437-escape-user-input/#findComment-929719 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.