Printable View
" single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc " is what I've found. Doesn't seem to be a stock function comparable to mysql_real_escape_string(). Microsoft (those loveable hunks) suggest using stored procedures and validating all inputs using custom-built regexes. I'm sure you've got enough free time for that.
haha yea, plenty of time for that. I've just gotten back to this thread now. So going further into this...
I've started used parametrized queries as an alternative to escaping all the possible inputs.
How secure is this method, if at all?
Side not for mssql users stumbling upon this, mssql doesn't take the \' as escaping the double single quotes ('') is how to mssql escapes a single quote so the query would be
Code:$query = "select * from users where lastname like 'o''brien';';
By "parametrized queries" you mean that you have a list of possible queries or parts of queries and the user's input selects which one to use, but there are no custom fields? That should be entirely secure.
(If one of your terms happens to be ;DROP DATABASE, then you'd need to fix that ;).)
Note that in the syntax of your code above you are mixing double and single quotes. I believe the last single quote should be double instead.
MySQL does that same method of escaping single quotes. You just never see it because mysql_real_escape...() does it for you.