Am wondering what is the equivalent in PHP for SQL Server escaping of strings?
Asked
Active
Viewed 2.0k times
7
-
3If you use a wrapper like PDO, you won't have to worry about that because you can work with parametrized queries. If you can, use a wrapper. – Pekka Jan 27 '10 at 11:52
-
Sorry, dont have the privelege to use PDO. – Alec Smart Jan 27 '10 at 11:53
3 Answers
7
Nice question, I don't know but you could use PDO::quote() with the PDO_DBLIB driver.
EDIT: Seems like this guy got it from StackOverflow:
function mssql_escape($data) {
if(is_numeric($data))
return $data;
$unpacked = unpack('H*hex', $data);
return '0x' . $unpacked['hex'];
}
Another option:
function mssql_escape($str)
{
if(get_magic_quotes_gpc())
{
$str= stripslashes($str);
}
return str_replace("'", "''", $str);
}
3
The best alternative is to use parameterised queries, then you don't have to escape strings.
If you still want to put the query together yourself, the proper way to escape a string literal for SQL Server (T-SQL) is to replace each apostrophe (') in the string with two apostrophes.
Guffa
- 687,336
- 108
- 737
- 1,005
-
Does that also handle null characters, backslashes and the like in the string? – Jun 06 '12 at 15:03
-
@ebyrob: Yes. Backslashes in a string doesn't need any special treatment at all, by the way. – Guffa Jun 06 '12 at 17:02
-
0
The short answer is: use whatever mechanism your connection libraries provide, it really has nothing to do with the database. If you're using ADO, you have parameterized queries, if you're using something else (I know nothing about PHP) then use whatever that library offers.
Rolling your own is probably a bad idea, because you're very likely to get something wrong, e.g. handling comment delimiters correctly.
Pondlife
- 15,992
- 6
- 37
- 51