[geeklog-devel] MS SQL escaping

Dirk Haun dirk at haun-online.de
Fri Jul 4 05:38:52 EDT 2008


Looking through the config class, there are 3 places where we do some
special escaping for MS SQL.

In functions set() and set_default(), we do

        if ($_DB_dbms == 'mssql') {
            $sql_query = str_replace("\\'", "''", $sql_query);
            $sql_query = str_replace('\\"', '"', $sql_query);

whereas in function add(), we do

        if ($_DB_dbms == 'mssql') {
            $sql_query = str_replace("\\'", "''", $sql_query);
            $sql_query = str_replace('\\"', '""', $sql_query);

So in the first case, \" is replaced with a single " while in the second
case, it's replaced with two "".

Am I missing something or is one of those wrong (and if so, which one's
correct)?

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/




More information about the geeklog-devel mailing list