Page 1 of 1

MSSQL injections

Posted: Mon Feb 09, 2009 7:35 pm
by alex.barylski
I'm working on a project that uses a MSSQL server with a PHP front...I'm looking at the code and I see a lot of direct variable usage:

[sql]SELECT * FROM TABLE WHERE fname = "$first_name"[/sql]

I'm googling and cannot find anything about whether injections are possible with MSSQL, it appears there is no escaping routine?

Re: MSSQL injections

Posted: Mon Feb 09, 2009 7:52 pm
by VladSun
No way ;)

From php.net users' comments:

Code: Select all

function sqlEscape($sql) {
    /* De MagicQuotes */
    $fix_str = stripslashes($sql);
    $fix_str = str_replace("'","''",$sql);
    $fix_str = str_replace("\0","[NULL]",$fix_str);
 
    return $fix_str;
} // sqlEscape