[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

sql version of mysql_real_escape_string()

Posted on 2009-12-31
12
Medium Priority
?
681 Views
Last Modified: 2012-05-08
mysql_real_escape_string()

how is this used in sql server 2005
0
Comment
Question by:rgb192
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 26156157
I'm not sure there is a perfect analog.

http://blog.sqlauthority.com/2008/02/17/sql-server-how-to-escape-single-quotes-fix-error-105-unclosed-quotation-mark-after-the-character-string/

mysql_real_escape_string() is smarter than addslashes().

Do you have a code sample that shows the problem you're having with escapes in SQL 2005?
0
 

Author Comment

by:rgb192
ID: 26156175
this is for mysql

and i would like it for sql server
$fn  = mysql_real_escape_string($_POST["firstname"]); 
$ln  = mysql_real_escape_string($_POST["lastname"]);

Open in new window

0
 
LVL 75

Expert Comment

by:Aneesh Retnakaran
ID: 26156178
isn't that a Php function ? I am not sure how it relates to SQL Server
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 26156184
@aneeshattingal: Maybe he is using ODBC?
0
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 26156206
Agree with Ray, I don't know of a direct function call that duplicates the abilities of mysql_real_escape_string.  You would have to construct your own on the PHP side or in a user defined function on MS SQL side.

See if this helps for that purpose.
http:Q_21927070.html
0
 

Author Comment

by:rgb192
ID: 26156267
yes using using ODBC

php to connect to sql server 2005
0
 
LVL 59

Accepted Solution

by:
Bill Prew earned 500 total points
ID: 26156786
0
 
LVL 1

Assisted Solution

by:like_php
like_php earned 500 total points
ID: 26158099
mysql and ms sql are both ODBC database, so both use almost same language but everyone have diffrent properities, about ms sql injection i guess this article very important for u http://msdn.microsoft.com/en-us/library/ms998271.aspx

so to protect ur DB mysql or ms sql both can protect query by mysql_escape_string function or by using htmlspecialchars()  functions
0
 

Author Comment

by:rgb192
ID: 26158362
I saw the other experts exchange link

and the answer is

for mssql-server str_replace("'", "''", $data) is typical sufficient to escape the data so no sqlinjection is possible.


how would this apply to
$fn  = mysql_real_escape_string($_POST["firstname"]);  
$ln  = mysql_real_escape_string($_POST["lastname"]);

Open in new window

0
 
LVL 60

Assisted Solution

by:Kevin Cross
Kevin Cross earned 500 total points
ID: 26158397
$fn  =  str_replace("'", "''", $_POST["firstname"]);  
$ln  =  str_replace("'", "''", $_POST["lastname"]);
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 26162596
This strategy to double the quotes _might_ work and you would want to test it with a variety of inputs.  There is another built-in from PHP that you should consider.  See the description and examples here:
http://us3.php.net/manual/en/function.addslashes.php

That is what I would choose if I did not have a DB-specific way to escape the data.

Best regards, ~Ray

$safe_data = addslashes($raw_data);

Open in new window

0
 

Author Closing Comment

by:rgb192
ID: 31671690
thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question