views:

39

answers:

2

I'm using php and sql server 2008 and the SQL Server Driver for PHP 1.0 does not have a similar escape string like mysql_real_escape_string.

Do I just need to replace single quotations with something like

function sqlsvr_escape_string($string)
{
  $pattern = "'";
  $replace = "''";
  return(stripslashes(eregi_replace($pattern,$replace,$string)));
}

or do I not need to be concerned because it uses parametrized statements? e.g.

$tsql = "SELECT * from tblUsers where email=(?) AND password=(?)";
$params = array($email, $encryptedPass);
$stmt = sqlsvr_prepare($conn, $tsql, $params);

The only resource I could find was this where the above snippet is from.

Thanks for any help and comments.

-TK

+2  A: 

As it uses prepared statements (maybe called "parametrized statements"), you don't need to escape data by yourself : the driver will know how to escape those, depending on what's in the DB, I guess.

I am pretty sure you don't have to write your own escaping function.

The best to bge sure, though, is to test : for instance, can you inject some arbitrary string containing a single quote ? Is the quote stored into the DB, or do you get an error ?

Pascal MARTIN
+1  A: 

The later. You don't need to be worried about escaping your SQL if you're using parametrized statements.

From a "client coder" point of view (as in you're a client of SQL Server), the reason you use parametrized statements is you don't trust yourself to properly and/or consistently escape your values. Instead, you outsource that responsibility to the coders who created and maintain sqlsvr_prepare (or AdoDB, or Propel, or Doctrine, or etc.). It's their job to make sure that all data is properly escaped.

Alan Storm