How can I escape strings using sqlsrv_* functions?

Question

How can i use real_escape_string in sqlsrv?

This is my code:

$uname = sqlsrv_real_escape_string($conn, trim($_POST['uname']));
$pass  = sqlsrv_real_escape_string($conn, trim($_POST['pword']));

but I recieve the following error:

undefined function sqlsrv_real_escape_string

Answer 1

The SQL Server code makes prepared statements very easy to do:

$query = "SELECT * FROM users WHERE username=? AND password=?";
$parameters = [$_POST["uname"], $_POST["pword"]];
$result = sqlsrv_query($conn, $query, $parameters);

Simply replace your values with a ? and then pass them as an array (in order) as the third argument to sqlsrv_query().

(Not that you would ever store plaintext passwords in a databse, right?)