I'm working on a project that uses a MSSQL server with a PHP front...I'm looking at the code and I see a lot of direct variable usage:
[sql]SELECT * FROM TABLE WHERE fname = "$first_name"[/sql]
I'm googling and cannot find anything about whether injections are possible with MSSQL, it appears there is no escaping routine?
MSSQL injections
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: MSSQL injections
No way 
From php.net users' comments:
From php.net users' comments:
Code: Select all
function sqlEscape($sql) {
/* De MagicQuotes */
$fix_str = stripslashes($sql);
$fix_str = str_replace("'","''",$sql);
$fix_str = str_replace("\0","[NULL]",$fix_str);
return $fix_str;
} // sqlEscapeThere are 10 types of people in this world, those who understand binary and those who don't