duancao1951 2009-08-06 19:18
浏览 50
已采纳

Sql Server 2008和PHP - sqlsvr_escape_string?

I'm using php and sql server 2008 and the SQL Server Driver for PHP 1.0 does not have a similar escape string like mysql_real_escape_string.

Do I just need to replace single quotations with something like

function sqlsvr_escape_string($string)
{
  $pattern = "'";
  $replace = "''";
  return(stripslashes(eregi_replace($pattern,$replace,$string)));
}

or do I not need to be concerned because it uses parametrized statements? e.g.

$tsql = "SELECT * from tblUsers where email=(?) AND password=(?)";
$params = array($email, $encryptedPass);
$stmt = sqlsvr_prepare($conn, $tsql, $params);

The only resource I could find was this where the above snippet is from.

Thanks for any help and comments.

-TK

  • 写回答

2条回答 默认 最新

  • dream2891 2009-08-06 21:05
    关注

    The later. You don't need to be worried about escaping your SQL if you're using parametrized statements.

    From a "client coder" point of view (as in you're a client of SQL Server), the reason you use parametrized statements is you don't trust yourself to properly and/or consistently escape your values. Instead, you outsource that responsibility to the coders who created and maintain sqlsvr_prepare (or AdoDB, or Propel, or Doctrine, or etc.). It's their job to make sure that all data is properly escaped.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法