How to sanitize an mssql request that stores emails

Question

How to sanitize an mssql request that stores emails

I have a query that is sent to a mailbox and tries to save all emails in a table. It works in most cases, but it fails when the value of the email content has double or single quotes. How can I change my code to correctly insert all requests?

    $num = imap_num_msg($imap);
    if($num > 0)
    {
        for($b = $num; $b > 0; $b--)
        {
            $body = $this->get_part($imap, $b, "TEXT/HTML");
            if($body == "")
            {
                $body = $this->get_part($imap, $b, "TEXT/PLAIN");
            }
            $header = imap_headerinfo($imap, $b);
            $subject = $header->subject;
            $fromaddress = $header->fromaddress;
            $body = str_replace("'", "''", $body);
            //$body = str_replace("\"", "\"\"", $body);
            $sql3 = "INSERT INTO [tbl_test] (content) 
                    VALUES ('".$body."')";
            $result3 = mssql_query($sql3, $dbh1);
        }
    }

Afterword I get the following errors:

Warning: mssql_query (): message: Unclosed quote after character string 'Please see why below s ....

Warning: mssql_query (): a common SQL Server error: check messages with SQL Server (severity 15) in /var/www/testing.php on line 38

+1

php sql-server

user1029829 Apr 05 '13 at 18:08

source share

1

Jason Carter · Answer 1 · 2013-04-05T18:13:22+0000

:

$query = "INSERT INTO test (email, body) VALUES (?,?);";
$arrParams[]="my@domain.com";
$arrParams[]="My email body has quotes\ or double quotes \" in it.";
$resource=sqlsrv_query($conn, $query, $arrParams);

: sqlsrv_query

How to sanitize an mssql request that stores emails

More articles: