How do I escape special characters in user input - I'm using sql server database

Question

Could someone help me..

I'm trying to escape special chars: " , ' backslash * and other special chars to prevent sql injection.

The problem here is that i'm using php and sql server.

I've searched a lot, but nothing that could really help me, specially with the ' char.

Here is my code:

public function query($sql)
{
    $result = sqlsrv_query($this->connection, $sql);
    return $result;
}

Show the code you are using to insert the data into the database. Without that, nobody can help — Pekka, Feb 23 '12 at 11:37
@Pekka - I'm not having problems while saving data (without '). The problem arise when data contains ' — MIlena, Feb 23 '12 at 11:44
http://stackoverflow.com/questions/2146546/mysql-real-escape-string-alternative-for-sql-server — Sam Arul Raj T, Feb 23 '12 at 11:48

score 4 · Answer 1 · answered Feb 23 '12 at 11:46

4

Don't bother.

answered Feb 23 '12 at 11:46

Arkh

What do you know, "use PDO" indeed is the correct and full answer for this case. Downvote removed :) – Pekka Feb 23 '12 at 11:52
I was searching for something simple and faster.. thnx – MIlena Feb 23 '12 at 12:02
@Mllena Arkh's suggestion really is the best way to go. Using home-brewn escaping functions isn't a nice idea really. – Pekka Feb 23 '12 at 12:17
How is using something already existing not simpler than writing your own solution? Beside that, it would simplify your code too - for instance error handling via exceptions would be waaay easier. – Flavius Feb 23 '12 at 12:45

score -4 · Answer 2 · answered Feb 23 '12 at 11:49

-4

answered Feb 23 '12 at 11:49

Nishant

I've used that with mysql, but i'm using sql server – MIlena Feb 23 '12 at 12:01

2 Answers2