2

How can i use real_escape_string in sqlsrv?

This is my code:

$uname = sqlsrv_real_escape_string($conn, trim($_POST['uname']));
$pass  = sqlsrv_real_escape_string($conn, trim($_POST['pword']));

but I recieve the following error:

undefined function sqlsrv_real_escape_string

miken32
  • 42,008
  • 16
  • 111
  • 154
Key Bird Padilla
  • 33
  • 1
  • 5
  • 1
    This might be a duplicate to https://stackoverflow.com/questions/574805/how-to-escape-strings-in-sql-server-using-php – unknown6656 Jun 22 '17 at 06:05
  • 1
    If you use prepared statements with binds, this should solve a lot of the problems that real escape string is designed to cover. – Nigel Ren Jun 22 '17 at 06:18
  • 1
    In general *_escape_string is to wrong way to do escaping. You should use prepared statements with bind parameters and let the database handle all the escaping. Try looking into PDO – rypskar Jun 22 '17 at 06:19
  • As far as I know they never cared writing such feature (probably because it's a modern extension and the functionality wouldn't specially useful). If it's important for you, you may want to try whether the PDO flavour implements [PDO::quote()](http://php.net/manual/en/pdo.quote.php). – Álvaro González Jun 22 '17 at 16:39
  • If any of the answers provided is helpful, please upvote them, and mark accepted the one question that best answered your question. See https://stackoverflow.com/help/someone-answers. Thanks! – miken32 Sep 18 '17 at 16:17

2 Answers2

4

The SQL Server code makes prepared statements very easy to do:

$query = "SELECT * FROM users WHERE username=? AND password=?";
$parameters = [$_POST["uname"], $_POST["pword"]];
$result = sqlsrv_query($conn, $query, $parameters);

Simply replace your values with a ? and then pass them as an array (in order) as the third argument to sqlsrv_query().

(Not that you would ever store plaintext passwords in a databse, right?)

miken32
  • 42,008
  • 16
  • 111
  • 154
-1

I understand why you would want to use this to capture innocent ' and weed out SQL injections, but there is no such function sqlsrv_real_escape_string. You could make your own function or use preg_replace and add '\'. Just a thought.

Take a look at the answers to this question

Sᴀᴍ Onᴇᴌᴀ
  • 8,218
  • 8
  • 36
  • 58
JustoShow
  • 94
  • 1
  • 4