I'm using php and sql server 2008 and the SQL Server Driver for PHP 1.0 does not have a similar escape string like mysql_real_escape_string.
Do I just need to replace single quotations with something like
function sqlsvr_escape_string($string)
{
$pattern = "'";
$replace = "''";
return(stripslashes(eregi_replace($pattern,$replace,$string)));
}
or do I not need to be concerned because it uses parametrized statements? e.g.
$tsql = "SELECT * from tblUsers where email=(?) AND password=(?)";
$params = array($email, $encryptedPass);
$stmt = sqlsvr_prepare($conn, $tsql, $params);
The only resource I could find was this where the above snippet is from.
Thanks for any help and comments.
-TK
The later. You don't need to be worried about escaping your SQL if you're using parametrized statements.
From a "client coder" point of view (as in you're a client of SQL Server), the reason you use parametrized statements is you don't trust yourself to properly and/or consistently escape your values. Instead, you outsource that responsibility to the coders who created and maintain sqlsvr_prepare (or AdoDB, or Propel, or Doctrine, or etc.). It's their job to make sure that all data is properly escaped.
As it uses prepared statements (maybe called "parametrized statements"), you don't need to escape data by yourself : the driver will know how to escape those, depending on what's in the DB, I guess.
I am pretty sure you don't have to write your own escaping function.
The best to bge sure, though, is to test : for instance, can you inject some arbitrary string containing a single quote ? Is the quote stored into the DB, or do you get an error ?