Mysql_real_escape_string alternative for SQL Server

Question

Mysql_real_escape_string alternative for SQL Server

I wonder what is equivalent in PHP to escaping SQL Server strings?

+7

php sql-server tsql

Alec smart Jan 27 '10 at 11:47

source share

3 answers

The best alternative is to use parameterized queries, then you do not need to avoid strings.

If you still want to assemble the query yourself, the right way to avoid the string literal for SQL Server (T-SQL) is to replace each apostrophe (') in the string with two apostrophes.

+3

Guffa Jan 27 '10 at 11:54

source share

Short answer: use any mechanism your connection libraries provide, it really has nothing to do with the database. If you use ADO, you have parameterized queries, if you use something else (I don't know anything about PHP), then use what this library offers.

Rolling is probably a bad idea because you are likely to get something wrong, for example. handle comment delimiters correctly.

0

Pondlife Jan 27 '10 at 12:18

source share

Alix axel · Accepted Answer · 2010-01-27T11:53:17+0000

Good question, I don’t know, but you could use PDO::quote() with PDO_DBLIB .

EDIT: Looks like this guy is overflowing https://stackoverflow.com/a/166185/ :

 function mssql_escape($data) { if(is_numeric($data)) return $data; $unpacked = unpack('H*hex', $data); return '0x' . $unpacked['hex']; }

Another option:

 function mssql_escape($str) { if(get_magic_quotes_gpc()) { $str= stripslashes($str); } return str_replace("'", "''", $str); }

Mysql_real_escape_string alternative for SQL Server

More articles: