sql version of mysql_real_escape_string()

I'm not sure there is a perfect analog.

http://blog.sqlauthority.com/2008/02/17/sql-server-how-to-escape-single-quotes-fix-error-105-unclosed-quotation-mark-after-the-character-string/

mysql_real_escape_string() is smarter than addslashes().

Do you have a code sample that shows the problem you're having with escapes in SQL 2005?

this is for mysql

and i would like it for sql server

$fn  = mysql_real_escape_string($_POST["firstname"]); 
$ln  = mysql_real_escape_string($_POST["lastname"]);

Select allOpen in new window

isn't that a Php function ? I am not sure how it relates to SQL Server

@aneeshattingal: Maybe he is using ODBC?

Agree with Ray, I don't know of a direct function call that duplicates the abilities of mysql_real_escape_string.  You would have to construct your own on the PHP side or in a user defined function on MS SQL side.

See if this helps for that purpose.
http:Q_21927070.html

yes using using ODBC

php to connect to sql server 2005

I saw the other experts exchange link

and the answer is

for mssql-server str_replace("'", "''", $data) is typical sufficient to escape the data so no sqlinjection is possible.


how would this apply to

$fn  = mysql_real_escape_string($_POST["firstname"]);  
$ln  = mysql_real_escape_string($_POST["lastname"]);

Select allOpen in new window

thanks