0

Whenever I implement this code, I no longer get an error while using a single quote, but the hexstring get's written to the database instead of being converted back to the original characters.

function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}

mssql_query('
    INSERT INTO sometable (somecolumn)
    VALUES (' . mssql_escape($somevalue) . ')
');

This is what I'm trying to do. $suggestTest is the variable I'm using the escape function on.

$nomDept = $_POST['nomDept'];
$subSupervisor = $_POST['subSupervisor'];
$suggestion = $_POST['suggestion'];

$suggestTest = mssql_escape($suggestion);

if ($subSupervisor == "Yes") {
    $query = "INSERT INTO dbo.emp_recog (nomDept, nomSuggestion, subSupervisor) VALUES (";
    $query .= "'" . $nomDept . "', ";
    $query .= "'" . $suggestTest . "', ";
    $query .= "'" . $subSupervisor . "');";
    $res = mssql_query($query);
}

I've also tried omitting the single quotes around the variable like so

if ($subSupervisor == "Yes") {
    $query = "INSERT INTO dbo.emp_recog (nomDept, nomSuggestion, subSupervisor) VALUES (";
    $query .= "'" . $nomDept . "', ";
    $query .= $suggestTest ", ";
    $query .= "'" . $subSupervisor . "');";
    $res = mssql_query($query);
}
Community
  • 1
  • 1
collint25
  • 281
  • 1
  • 5
  • 13

1 Answers1

-1

If you use prepare to build your SQL statement, you do not need to escape the variables.

David Tilbrook
  • 1