Reputation: 1305
Escaping function wiping all data from text fields/areas
I am attempting to replace ' with '' for error reasons within MSSQL queries. I understand that it could be more secure, I am just learning and they will get more secure.
So I used str_replace. and did this.
$dbTABLE = "Table_Name";
$query_sql = sprintf("UPDATE %s SET PageHTML = ('%s') WHERE PageID = '%d'",
$dbTABLE,
str_replace("'","''",$PageHTML),
$PageID);
Worked fine, but for consistency and ease of use I want to write a function I could just include in all pages. Function looks like this:
function SQLencode($svalue) {
str_replace("'","''",$svalue);
}
and implemented like this:
SQLencode($PageHTML),
However this just wipes all data from the query, I don't understand why. All my data is just blank afterwards. Can anyone tell me where I am going wrong?
Upvotes: 0
Views: 57
Answers (2)
Reputation: 21856
Instead of trying to do the escaping yourself (sprintf is a bad choice), better use the mssql_bind function to bind parameters to to the query.
Upvotes: 1
Reputation: 44444
You need to return the value from the function SQLencode(..).
function SQLencode($svalue) {
return str_replace("'","''",$svalue);
}
Upvotes: 2
Related Questions
- SQL Server Escape String
- How to escape strings in SQL Server using PHP?
- Escaping characters without using MySql functions in PHP
- str_replace and SQL Server queries with PHP
- What needs to be escaped in a query when inserting data from textarea?
- Function escaping before inserting in mysql
- how to escape input but save unescaped into the database
- Escaping with this PHP function is unsafe?
- Sql Server 2008 and PHP - sqlsvr_escape_string?
- User provided input SQL-escaping