Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MSSQL - real_escape_string - Addslashes

Status
Not open for further replies.
storm197

storm197

MIS
Oct 9, 2002
55
CA
Hi,

I wanted to make a topic with this subject.

I'm working with MSSQL and I want to secure the users input in my Queries.

Unfortunately, MSSQL function doesn't have a real_escape_string function that allow me to secure the info.

I read some topic of people suggesting to use the addslashes function, but mssql does not use the backslash character as an escape mechanism.

A function like this one could help, but, I don't think it's a complete secure solution.

<?php
function mssql_addslashes($data) {
$data = str_replace("'", "''", $data);
return $data;
}
?>
Can anyone gives me an advice on this one ?
 
Sort by date Sort by votes
From what i've read, the escape character for MS-SQL is '' (two quotes).

I'll try it on my server.
 
Upvote 0 Downvote
That's exact.

For the "children's toy" string.

If I submit children's toy, SQL crash.

If I submit children''s toy, it works.
 
Upvote 0 Downvote
So, it seems to be just to replace single quotes with two single quotes. In that scenario I don't see anything wrong with the little function you provided in your initial post.
What are your concerns?
 
Upvote 0 Downvote
My concerns are that the little function only handle quotes (').

If I look at php.net, it says that mysql_real_escape_string handle the following characters: NULL, \x00, \n, \r, \, ', " and \x1a.

If I just handle quotes, is that a big security breach in my system ?
 
Upvote 0 Downvote
For what I know, backslashes seems to be a character like any other one. I've done a couple of tests, and MSSQL always return the value, with the backslash included.
 
Upvote 0 Downvote
It's the same for doublequotes, MSSQL seems to take it as a normal character.

When the field is Null, is takes it as a blank variable.

If I write NULL, MSSQL takes it as a normal string.

So, after all, I think that checking only for quotes will do the job.

Thank for your support and advices.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyc209
  • Locked
  • Question
MSSQL connection Noobie
Replies
6
Views
94
Olaf Doschke
Olaf Doschke
dkemas
  • Locked
  • Question
PHP and MSSQL dates 1
Replies
3
Views
109
jpadie
jpadie
badcoder7
  • Locked
  • Question
Using addslashes/stripslashes to escape MySQL queries - how to undo? 1
Replies
3
Views
76
jpadie
jpadie
likelylad
  • Locked
  • Question
PHP to MSSQL
Replies
2
Views
27
likelylad
likelylad
arcticvman
  • Locked
  • Question
Insert into MSSQL 2
Replies
3
Views
44
arcticvman
arcticvman

Part and Inventory Search

Sponsor

Back
Top