Will mysql real escape string work with Sql Server queries?

Forum Moderators: coopster

Message Too Old, No Replies

Will mysql real escape string work with Sql Server queries?

NooK

1:49 pm on Oct 25, 2007 (gmt 0)

Is the function mysql_real_escape_string really only made to be used with mySql queries or will it work with SQL Server queries?

Also any further information on SQl Injection preventio is welcome.

I have gathered that stripslashes and mysql_real_escape_string are a good solution.

Best Regards

NooK

whoisgregg

3:08 pm on Oct 25, 2007 (gmt 0)

Whichever handler you are using to connect to your database should have a corresponding *_escape_string function to go with it.

PostgreSQL: pg_escape_string [php.net]
MySQL: mysql_real_escape_string [php.net]
SQLite: sqlite_escape_string [php.net]

Duskrider

3:20 pm on Oct 25, 2007 (gmt 0)

SQL Server has different escape characters than MySQL, so no, the MySQL real escape string functions won't help you there. They'll still work, but they won't give the correct escape characters.

SQL Server uses the ' (single quote) as the escape character, so you'll need to do a find/replace on your string to add a ' in front of all the characters SQL Server doesn't like. Usually an apostrophe itself is the biggest problem, so I usually use:

function escapeSingleQuotes($string){
//escapse single quotes
$singQuotePattern = "'";
$singQuoteReplace = "''";
return(stripslashes(eregi_replace($singQuotePattern, $singQuoteReplace, $string)));
}