MSSQL injections

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

MSSQL injections

Post by alex.barylski »

I'm working on a project that uses a MSSQL server with a PHP front...I'm looking at the code and I see a lot of direct variable usage:

[sql]SELECT * FROM TABLE WHERE fname = "$first_name"[/sql]

I'm googling and cannot find anything about whether injections are possible with MSSQL, it appears there is no escaping routine?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: MSSQL injections

Post by VladSun »

No way ;)

From php.net users' comments:

Code: Select all

function sqlEscape($sql) {
    /* De MagicQuotes */
    $fix_str = stripslashes($sql);
    $fix_str = str_replace("'","''",$sql);
    $fix_str = str_replace("\0","[NULL]",$fix_str);
 
    return $fix_str;
} // sqlEscape
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply