MSSQL injections
Posted: Mon Feb 09, 2009 7:35 pm
I'm working on a project that uses a MSSQL server with a PHP front...I'm looking at the code and I see a lot of direct variable usage:
[sql]SELECT * FROM TABLE WHERE fname = "$first_name"[/sql]
I'm googling and cannot find anything about whether injections are possible with MSSQL, it appears there is no escaping routine?
[sql]SELECT * FROM TABLE WHERE fname = "$first_name"[/sql]
I'm googling and cannot find anything about whether injections are possible with MSSQL, it appears there is no escaping routine?