0

I'm integrating my website with an API that only allows me to execute MSSQL in string form. I cannot use a prepared/bound statement since the API will only accept a string.

Is escaping with mysqli_real_escape_string effective/compatible with MSSQL when I cannot execute prepared statements?

Example:

$query = "SELECT * FROM foo WHERE product='.mysql_real_escape_string($user_input)."'";
api($query);
mehdi lotfi
  • 11,194
  • 18
  • 82
  • 128
KitInd
  • 31
  • 3
  • 1
    `mysqli_real_escape_string()` uses a `mysqli` link to a MySQL database to escape a string according to the locale in force. `mysql_real_escape_string()` does the same for `mysql`,( the two are different). Neither will work for a connection to an MSSQL database. –  Jan 06 '14 at 23:53
  • The API handles connection the the database, I just pass it a query string to execute. I meant compatible as in the output syntax will not break anything where MySQL and MSSQL differ. – KitInd Jan 07 '14 at 00:01
  • You misunderstand: mysqli_real_escape_string **requires** a connection to a **MySQL** database to work. It's not about syntax compatibility - the function just won't work with MSSQL. –  Jan 07 '14 at 00:04
  • Got it. I will encode input as a hex string as outlined in: How to escape strings in SQL Server using PHP? Thank you. – KitInd Jan 07 '14 at 00:13
  • You should probably consider using a more intelligent "API" than one that just blindly executes any string you pass it. This is precisely how the whole SQL injection revolution started in the first place. – Aaron Bertrand Jan 07 '14 at 01:38

0 Answers0