Make content safe for MSSQL insertion

DanielAtt · April 20, 2011, 9:53am

I’ve written a program for my company which retreives an email from a mailbox, inserts the content into an MSSQL table, then deletes the email.

In MSSQL you need to escape the ’ character by using another ’ character. I have therefore used the following code to make the content db safe:

$emailContent = str_replace("'", "''", $emailContent);

This normally avoids any insertion errors. However, after receiving a large HTML encoded email I received the following error message:

PHP Warning:  mssql_query(): message: Unclosed quotation mark after the character string 'View online version: <[Redirect Error](http://click.news.spiceworks.com/?qs)'. (severity 15)

Unfortunately the email was deleted before I got a chance to examine it properly. Would anyone be able to tell me some extra measures I could take to make the content db safe?

Many thanks

r937 · April 20, 2011, 10:23am

pretty hard to tell where that extra quote is, because the error message itself looks like it uses quotes around the problematic string

also, regarding this…

that’s actually standard SQL

in fact, mysql also supports it, even though most people are more used to seeing mysql’s non-standard backslash escape character

DanielAtt · April 20, 2011, 10:53am

Thanks for your reply r937.

After examining the problem further it appears it may have occured because the email content was too large for the db column which has a max limit of 8000 chars. I’ve now taken measures to prevent this.

Topic		Replies	Views
MSSQL and allowing apostrophe to be inserted in string via a form PHP	15	16570	October 8, 2014
Escape Slashes + MS SQL SERVER Databases	12	14515	September 24, 2014
Missing text PHP	4	300	March 30, 2011
Apostrophes in my database PHP	8	941	March 13, 2015
Removing backslashes PHP	8	1191	May 17, 2010

Make content safe for MSSQL insertion

Related topics