TylerTy
asked on
Insertion/Injection attacks. How do I avoid attacks with using php to an MSsql db.
Besides going through the strings pass are parsing it for special characters, how else can I preven insertion attacks. For Mysql, there is a function called mysql_escape_string which will do this, however I'm running an MSsql db and wondering if there is an equivalent for MSsql?
In Mysql ie.
$Input = mysql_escape_string($Input );
MSsql???
In Mysql ie.
$Input = mysql_escape_string($Input
MSsql???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As the first comment in the PHP manual states, you can try to use addSlashes() in order to escape quotes and singlequotes. This doesn't influence any special characters, but will prevent code injection to my knowledge.
check your values with a regular expression before using them. There is also a number of standard tests for the basic numbers: http://dk.php.net/manual/en/function.is-numeric.php
regards JakobA
regards JakobA
my comment is a tested one.
:-)
:-)