Welcome to WebmasterWorld Guest from 54.159.50.111

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Will mysql real escape string work with Sql Server queries?

     
1:49 pm on Oct 25, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:June 15, 2007
posts:86
votes: 0


Is the function mysql_real_escape_string really only made to be used with mySql queries or will it work with SQL Server queries?

Also any further information on SQl Injection preventio is welcome.

I have gathered that stripslashes and mysql_real_escape_string are a good solution.

Best Regards

NooK

3:08 pm on Oct 25, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member whoisgregg is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 9, 2003
posts:3416
votes: 0


Whichever handler you are using to connect to your database should have a corresponding *_escape_string function to go with it.

3:20 pm on Oct 25, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:May 31, 2006
posts:116
votes: 0


SQL Server has different escape characters than MySQL, so no, the MySQL real escape string functions won't help you there. They'll still work, but they won't give the correct escape characters.

SQL Server uses the ' (single quote) as the escape character, so you'll need to do a find/replace on your string to add a ' in front of all the characters SQL Server doesn't like. Usually an apostrophe itself is the biggest problem, so I usually use:

function escapeSingleQuotes($string){
//escapse single quotes
$singQuotePattern = "'";
$singQuoteReplace = "''";
return(stripslashes(eregi_replace($singQuotePattern, $singQuoteReplace, $string)));
}