How to escape symbols in SQL query?

Question

In PHP-script i need to update title, content fields. If I put "@" into content I get error "Description: Incorrect syntax near '@'." I fixed with symbols ' ". Is there any solution for escaping or framework for DB layer?

I'm forced to use f**ng MS SQL :(

Code:

$conn = new COM ("ADODB.Connection")
$db_conn = $conn->open('bla-bla-password...');
$query = sprintf( "UPDATE page SET title='%s', page_content='%s' WHERE id=%d;", addslashes($title), addslashes($content), intval($id));
$rs = $db_conn->execute($query);

http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php get this from fast googling — kirilloid, Feb 07 '11 at 17:28

Quentin · Accepted Answer · 2011-02-07T20:03:14.793

4

Use PDO prepared statements to escape special characters … not sprintf or addslashes.

edited Feb 07 '11 at 20:03

answered Feb 07 '11 at 17:27

Quentin

914,110
126
1,211
1,335

1

Or at least avoid `addslashes()` like the plague and use your DB's native quoting function – Marc B Feb 07 '11 at 17:48
Thanks. Actually I think to use Yii, I think It can solve all common problems instead coding from scratch. – mapcuk Feb 08 '11 at 13:22

How to escape symbols in SQL query?

1 Answers1