Jump to content

Escaping


Andy17

Recommended Posts

Hey

 

 

When interacting with a MySQL database through a form, I am well aware that I should use mysql_real_escape_string() (no worries!), but this guy I know does it differently on his website and we were just talking about what the best solution is. Instead of adding a backslash, he adds a ' so

 

just ' testing ' becomes just '' testing '' rather than just \' testing \'

 

He is using MSSQL 2000, though. I guess there is a reason why it's called mysql_real_escape_string, so is his solution the appropriate one for MSSQL? I was just wondering if this is secure? What would happen if a user entered the following in a text field (which is used in an SQL query)?

 

just \' testing \'

 

That would become just \'' testing \'', wouldn't it? Forgive my noobness, but would that be insecure in SQL (not sure about SQL escaping)?

 

 

I hope you get my point.

 

Thanks.

Link to comment
https://forums.phpfreaks.com/topic/198413-escaping/
Share on other sites

So instead of using addslashes make your own function like this:

 

function escapeMSSQL($string) {
    return str_replace("'", "''", $string);
}

 

Then if there are other items that need escaped you can add them there as well. I looked at the manual roughly and could not find an escape function for MSSQL, so yea. Hopefully this helps ya.

Link to comment
https://forums.phpfreaks.com/topic/198413-escaping/#findComment-1041204
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.