Escaping function for Microsoft SQL?

bunner_bob

I mainly know MySQL, but I'm porting some of my code to work with MS SQL Server. I normally run mysql_real_escape_string() on certain fields, but there doesn't appear to be a direct parallel for MS SQL.

Ideally there'd be a function that works on both, so I don't have to customize it. Suppose I could write my own, but is there a more-or-less canned way of doing it?

laserlight

If you are on PHP5, you should consider using prepared statements with the PDO extension.

bunner_bob

Though some day I must learn PHP5, my hope for now is my client is not using PHP5 since I haven't dabbled in it yet.

I did find this function digging around under "addslashes" in the php manual:

function addslashes_mssql($str){
   if (is_array($str)) {
       foreach($str AS $id => $value) {
           $str[$id] = addslashes_mssql($value);
       }
   } else {
       $str = str_replace("'", "''", $str);   

   }

   return $str;
}

function stripslashes_mssql($str){
   if (is_array($str)) {
       foreach($str AS $id => $value) {
           $str[$id] = stripslashes_mssql($value);
       }
   } else {
       $str = str_replace("''", "'", $str);   

   }

   return $str;
}

I don't really know what characters are dangerous in MS SQL, but this seems to do something with single quotes anyway...