Page 1 of 1

MSSQL injection

Posted: Tue Oct 09, 2007 11:59 am
by kendall
Hi,

I have never used MSSQL in my life....until today. I have a mysql based application which i am currently translating into mssql syntax. I note there isnt a "mysql_real_escape_string"...version in MSSQL.

doe this mean that there is no way for SQL injections in MSSQL?

what would then be the appropriate method of safely escaping mssql user inputted values?

Posted: Tue Oct 09, 2007 11:15 pm
by Josh1billion
I googled to find this, which may help you: http://www.t4vn.net/example/showcode/ms ... tring.html

Posted: Wed Oct 10, 2007 1:03 am
by jmut
use prepared queries, as of mysql 4.1+ you can use prepared queries for mysql too.