Hi!

We see two functions used with MySQL & Postgre for creating escaped strings.

mysql_escape_string()
pg_escape_string()

However I am working with ODBC and tried find something like odbc_escape_string():confused:

But it seems to be there is nothing such.

Then I looked about a generic escape string function, I didn't find such also.

I've two questions

01. Why there are two separate functions for MySQL and Postgre, and why not for ODBC

02. Is there an alternative for ODBC?

Anyone knows please let me know.

Best Regards

I suppose you could use addslashes().

Hi!

Thanks for your advice. It is much useful for me.

However, I still have a question why tow different functions are used for two DBMSs.

mysql_escape_string()
pg_escape_string()

Best Regards

Because each of those two DBs query strings will call out different characters as being illegal and will require different characters to escape them. Just the same way that using mysql_escape_string() doesn't do jack if you are using a SQL database in your development.

The only thing you can do is figure out how to write your own filters and escape functions for the database you are working on. It really isn't that hard, if you get creative, just don't rely on addslashes() alone. It will end up taking alot more to be able to trust the data that is coming from your users.

Thanks!

Thanks for your useful advice.

Best Regards

I'm going to raise this one from the grave and give an answer.


Where is the escape function? ...

I came up with 4 answers:

1) addslashes
I'm not so sure that addslashes will work since it might not be interpreted the same way by the tsql parse tree, in the event it did make queries safe. I wouldn't bet my money on addslashes making it secure either, since it's going to be escaping characters which are not meant to be.

2) replace input single quotes with two input single quotes
Her's turns into Her''s
I'm even less sure about this one... I wouldn't use it.

3) odbc_prepare http://www.php.net/manual/en/function.odbc-prepare.php
I think this one is getting close- unfortunately the php documentation for it is poor (as it always is), but it's helpful and points you to a better connector for tsql mssql.

4)


function ms_escape_string($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;

$non_displayables = array(
'/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
'/%1[0-9a-f]/', // url encoded 16-31
'/[\x00-\x08]/', // 00-08
'/\x0b/', // 11
'/\x0c/', // 12
'/[\x0e-\x1f]/' // 14-31
);
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
}


I took this from here: http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php

And that person took it from code igniter. This solution seems fine for now, I'll have to test it.