I am very used to using MySQL and mysql_real_escape_string(), but I have been given a new PHP project that uses ODBC.
What is the correct way to escape user input in a SQL string?
Is addslashes() sufficient?
I would like to get this right now rather than later!
Instead of string escaping the PHP ODBC driver uses prepared statements. Use odbc_prepare to prepare an SQL statement and odbc_execute to pass in the parameters and execute the statements. (This is similar to what you can do with PDO).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With