How to escape strings in SQL Server using PHP?

php sql-server escaping input-sanitization
Click Upvote picture Click Upvote · Feb 22, 2009 · Viewed 116.6k times · Source

I'm looking for the alternative of mysql_real_escape_string() for SQL Server. Is addslashes() my best option or there is another alternative function that can be used?

An alternative for mysql_error() would also be useful.

Answer

chaos picture chaos · Feb 22, 2009

addslashes() isn't fully adequate, but PHP's mssql package doesn't provide any decent alternative. The ugly but fully general solution is encoding the data as a hex bytestring, i.e.

$unpacked = unpack('H*hex', $data);
mssql_query('
    INSERT INTO sometable (somecolumn)
    VALUES (0x' . $unpacked['hex'] . ')
');

Abstracted, that would be:

function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}

mssql_query('
    INSERT INTO sometable (somecolumn)
    VALUES (' . mssql_escape($somevalue) . ')
');

mysql_error() equivalent is mssql_get_last_message().

Related questions

Fatal error: Call to undefined function sqlsrv_connect()

I have come across quite a few post regarding the same subject question, however I am still unable to resolve it and so I ask. I am trying to connect to sql in my php script. My connection string is: /* …

Read More
"Adaptive Server is unavailable or does not exist" error connecting to SQL Server from PHP

I'm attempting to connect to a SQL Server 2005 DB from my Mac using unixODBC and FreeTDS as I have outlined here. However, when I try to connect in to a different DB using the same setup, I get: Connection Failed:[…

Read More
Connect PHP to MSSQL via PDO ODBC

When I execute this code: print_r(PDO::getAvailableDrivers()); It says I have the odbc driver available. Array ( [0] => mysql [1] => odbc [2] => sqlite ) However, when I try to use it like so: $handle = new PDO("odbc:Server=dbServerIpAddress,myportnumber;…

Read More