• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 678
  • Last Modified:

Insertion/Injection attacks. How do I avoid attacks with using php to an MSsql db.

Besides going through the strings pass are parsing it for special characters, how else can I preven insertion attacks.  For Mysql, there is a function called mysql_escape_string which will do this, however I'm running an MSsql db and wondering if there is an equivalent for MSsql?

In Mysql ie.
$Input = mysql_escape_string($Input);

MSsql???
0
TylerTy
Asked:
TylerTy
  • 2
1 Solution
 
ldbkuttyCommented:
you won't find a mssql_escape_string() function like mysql_escape_string()), but using:

$escapedString = str_replace("'","''",$stringToEscape);

will accomplish the same thing.
0
 
RoonaanCommented:
As the first comment in the PHP manual states, you can try to use addSlashes() in order to escape quotes and singlequotes. This doesn't influence any special characters, but will prevent code injection to my knowledge.
0
 
JakobACommented:
check your values with a regular expression before using them. There is also a number of standard tests for the basic numbers: http://dk.php.net/manual/en/function.is-numeric.php

regards JakobA
0
 
ldbkuttyCommented:
my comment is a tested one.
:-)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now