Escaping

[Andy17]

Hey

 

 

When interacting with a MySQL database through a form, I am well aware that I should use mysql_real_escape_string() (no worries!), but this guy I know does it differently on his website and we were just talking about what the best solution is. Instead of adding a backslash, he adds a ' so

 

just ' testing ' becomes just '' testing '' rather than just \' testing \'

 

He is using MSSQL 2000, though. I guess there is a reason why it's called mysql_real_escape_string, so is his solution the appropriate one for MSSQL? I was just wondering if this is secure? What would happen if a user entered the following in a text field (which is used in an SQL query)?

 

just \' testing \'

 

That would become just \'' testing \'', wouldn't it? Forgive my noobness, but would that be insecure in SQL (not sure about SQL escaping)?

 

 

I hope you get my point.

 

Thanks.

[Ken2k7]

In MS SQL, \ doesn't escape anything, so using it would have no effect on the single quote. To escape a single quote, you add another single quote. It is weird.

[otuatail]

\ does escape. You can use addslashes() to get apostraphy into a database table

$result = addslashes("O'Riley");

[Ken2k7]

\ does escape. You can use addslashes() to get apostraphy into a database table

$result = addslashes("O'Riley");

Not in MS SQL. Read carefully please.

[premiso]

So instead of using addslashes make your own function like this:

 

function escapeMSSQL($string) {
    return str_replace("'", "''", $string);
}

 

Then if there are other items that need escaped you can add them there as well. I looked at the manual roughly and could not find an escape function for MSSQL, so yea. Hopefully this helps ya.