user1029829
Reputation: 961
How to correctly sanitize mssql query that stores emails
I have a query that goes to a mailbox and tries to save all emails in a table. It works in most cases but it fails when the email content value has double or single quote marks. How would I modify my code to correctly insert all queries?
$num = imap_num_msg($imap);
if($num > 0)
{
for($b = $num; $b > 0; $b--)
{
$body = $this->get_part($imap, $b, "TEXT/HTML");
if($body == "")
{
$body = $this->get_part($imap, $b, "TEXT/PLAIN");
}
$header = imap_headerinfo($imap, $b);
$subject = $header->subject;
$fromaddress = $header->fromaddress;
$body = str_replace("'", "''", $body);
//$body = str_replace("\"", "\"\"", $body);
$sql3 = "INSERT INTO [tbl_test] (content)
VALUES ('".$body."')";
$result3 = mssql_query($sql3, $dbh1);
}
}
Afterwords I get these errors:
Warning: mssql_query(): message: Unclosed quotation mark after the character string 'Please investigate why the below s....
Warning: mssql_query(): General SQL Server error: Check messages from the SQL Server (severity 15) in /var/www/testing.php on line 38
Upvotes: 1
Views: 939
Answers (1)
Jason Carter
Reputation: 925
You want to be using parameters:
$query = "INSERT INTO test (email, body) VALUES (?,?);";
$arrParams[]="[email protected]";
$arrParams[]="My email body has quotes\'s or double quotes \" in it.";
$resource=sqlsrv_query($conn, $query, $arrParams);
Source: sqlsrv_query
Upvotes: 3
Related Questions
- PHP data sanitization in emails
- A better SQL string sanitization function
- Php to MsSql query - escape quotes (') issue
- Is FILTER_SANITIZE_EMAIL enough or is mysql_real_escape_string also needed to avoid security issues in PHP/MySQL?
- PHP Form Data Sanitization
- Sanitize HTML in SQL query with PHP function
- PHP Mail sanitisation techniques
- Sanitize Form Data
- How to sanitize data in php in order to avoid SQL injection?
- I'm still confused about sanitizing strings