Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a query
$sql ="SELECT CustomerID FROM tblCustomer
WHERE EmailAddress = '".addslashes($_POST['username']) ."' AND Password = '".addslashes($_POST['password']) ."'";
// while printing, it will be
SELECT CustomerID FROM tblCustomer WHERE EmailAddress = 'test@ab\'c.com' AND Password = '123'
if we executing this in a mysql server it works, but not in a sql server
what is the solution for this?
. Iam using sql server
addslashes()will escape single quotes with a leading backslash which is valid syntax in MySQL but not in MS SQL Server. The correct way to escape a single quote in MS SQL Server is with another single quote. Usemysql_real_escape_string()for MySQL (mysql_escape_string()has been deprecated). Unfortunately, no analogousmssql_function exists so you’ll have to roll your own usingstr_replace(),preg_replace()or something similar. Better yet, use a database neutral abstraction layer such as PDO that supports parameterized queries.