Page 1 of 1

Escaping in MSSQL

Posted: Tue Apr 14, 2009 11:25 am
by alex.barylski
I have a simple query where I am passing in some GPC data like so:

Code: Select all

$name = addslashes($name);
 
$sql = "SELECT mcats_id FROM MBR__CLASSIFIED_ADVT__TYPE__SUB WHERE mcats_type = '$name' AND mcat_id = '$cat_primary'";
$res = odbc_exec($odbc_ptr, $sql);
addslashes() doesn't seem to do the trick. The field is actually labeled SUV's and therefore I cannot strip the single quote otherwise the search will fail.

How do I escape the SQL query so I may include the 's in the query?

Cheers,
Alex

Re: Escaping in MSSQL

Posted: Tue Apr 14, 2009 12:25 pm
by Christopher
Have you tried obdc_prepare() ? Also you may have to convert single quotes to two single quotes instead of escaping with slash.

Re: Escaping in MSSQL

Posted: Tue Apr 14, 2009 1:13 pm
by alex.barylski
Two single quotes sounds like the suggested solution -- although I tried ''$title'' and it still didn't do the trick my DBA made some changes and all seems to work for now.

Thanks :)

Cheers,
Alex

Re: Escaping in MSSQL

Posted: Tue Apr 14, 2009 7:51 pm
by HCBen
I use a custom function:

Code: Select all

function _sqlString($string)
{
    if (is_string($string)) return "'".str_ireplace("'","''",$string)."'";
    elseif (is_null($string)) return "NULL";
    else return $string;
}
Like so:

Code: Select all

$sql = "SELECT mcats_id FROM MBR__CLASSIFIED_ADVT__TYPE__SUB WHERE mcats_type = "._sqlString($name)." AND mcat_id = "._sqlString($cat_primary)." ";