I'm using php and sql server 2008 and the SQL Server Driver for PHP 1.0 does not have a similar escape string like mysql_real_escape_string
.
Do I just need to replace single quotations with something like
function sqlsvr_escape_string($string)
{
$pattern = "'";
$replace = "''";
return(stripslashes(eregi_replace($pattern,$replace,$string)));
}
or do I not need to be concerned because it uses parametrized statements? e.g.
$tsql = "SELECT * from tblUsers where email=(?) AND password=(?)";
$params = array($email, $encryptedPass);
$stmt = sqlsvr_prepare($conn, $tsql, $params);
The only resource I could find was this where the above snippet is from.
Thanks for any help and comments.
-TK