I just had a breif discussion with the lead developer who explained he uses the following funciton to escape data before submittion to the DB:
Code: Select all
function mssql_escape($str){ return str_replace('"','""',str_replace("'","''",TRIM($str))); }
function mssql_unescape($str){ return str_replace('""','"',str_replace("''","'",$str)); }
function mssql2js($str){
return str_replace(''.chr(10).'','\n',str_replace(''.chr(13).'','\r',str_replace('"','\"',str_replace("'","\'",TRIM($str)))));
}
function mssql_txt_escape($str) {
return str_replace("'","''",str_replace("<","<",str_replace(">",">",str_replace("`","'",str_replace(CHR_UNI(145),"'",str_replace(CHR_UNI(146),"'",str_replace(CHR_UNI(147),'"',str_replace(CHR_UNI(148),'"',$str))))))));}
function mssql_txt_unescape($str){return str_replace("''","'",$str);
}
Were using ODBC to connect to a Windows MSSQL from a Ubuntu box