Correct way to escape input data before passing to ODBC

php odbc escaping user-input mysql-real-escape-string
psynnott picture psynnott · Apr 19, 2011 · Viewed 9.1k times · Source

I am very used to using MySQL and mysql_real_escape_string(), but I have been given a new PHP project that uses ODBC.

What is the correct way to escape user input in a SQL string?

Is addslashes() sufficient?

I would like to get this right now rather than later!

Answer

halfdan picture halfdan · Apr 19, 2011

Instead of string escaping the PHP ODBC driver uses prepared statements. Use odbc_prepare to prepare an SQL statement and odbc_execute to pass in the parameters and execute the statements. (This is similar to what you can do with PDO).

Related questions

How to connect PHP with Microsoft Access database

I am currently faced with a new challenge to develop a site using Microsoft Access as the primary database instead of mysql. I have not used MS Access before and I would like guidiance on how to go about it, …

Read More
Connect PHP to MSSQL via PDO ODBC

When I execute this code: print_r(PDO::getAvailableDrivers()); It says I have the odbc driver available. Array ( [0] => mysql [1] => odbc [2] => sqlite ) However, when I try to use it like so: $handle = new PDO("odbc:Server=dbServerIpAddress,myportnumber;…

Read More
Linux - PHP 7.0 and MSSQL (Microsoft SQL)

Yes, I know that PHP 7.0 removed the extensions needed to connect to MSSQL. FreeTDS was my option prior to PHP 7.0 but now there really is no obvious upgrade path for those needing to still connect to MSSQL. Stupid question, but …

Read More