0

basically i got a text editor that will send possibly HTML tags to my table.

I'm using this text editor in my website http://www.tinymce.com/

But what if someone uses the ' character?

I have been searching for a way to allow users to enter VARCHAR type characters in my website. In mysql there is the escape string function. What is its alternative in sqlserver. I have been searching a lot... havent found what I am searching for so far.

Please help me out. Thanks ^_^

Satveer Bhantoo
  • 81
  • 1
  • 8
  • 1
    Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). Prepared statements will handle all of your special characters in data fields correctly. – Jay Blanchard Apr 27 '15 at 18:50
  • You will want to use [Parameterized Queries](http://www.mssqltips.com/sqlservertip/2981/using-parameters-for-sql-server-queries-and-stored-procedures/) to avoid SQL injection attacks. – dub stylee Apr 27 '15 at 18:50
  • If you are just using the mssql extension (instead of PDO), you can still [bind values](http://php.net/manual/en/function.mssql-bind.php) to your queries. – Jonathan Kuhn Apr 27 '15 at 18:55

1 Answers1

1

You have to use double apostrophe to get the single apostrophe inserted in your column.

Something like this:

INSERT INTO exampleTbl VALUES('I don''t know')

If you are using PHP you can use parameterised queries with PDO

As Mr. Jonathan Kuhn has pointed in the comments, you can also look at mssql_init and mssql_bind in case you are not using PDO.

  • 1
    @JayBlanchard that depends on the DBMS. In MSSQL, you double up the single quote ([SO](http://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sql-server)). This is the same as in Oracle. – Jonathan Kuhn Apr 27 '15 at 18:59
  • True @JonathanKuhn, but escaping data is *so* 2006 ¯\\_(ツ)_/¯ – Jay Blanchard Apr 27 '15 at 19:01
  • 1
    Yes. But the answer isn't wrong. That is how you escape quotes in MSSQL. And @Singleton, you could also point to the [mssql_init](http://php.net/mssql_init) and [mssql_bind](http://www.php.net/mssql_bind) in case OP is just using the MSSQL extension and not PDO. – Jonathan Kuhn Apr 27 '15 at 19:03
  • I have removed those comments. – Jay Blanchard Apr 27 '15 at 19:03
  • 1
    @JayBlanchard I will say that double single quotes really threw me for a loop when I first saw it also. I still don't understand why. But that – Jonathan Kuhn Apr 27 '15 at 19:06