Is this sufficient to prevent query injection while using SQL Server?

Posted by Derek Adair on Stack Overflow See other posts from Stack Overflow or by Derek Adair
Published on 2010-04-09T16:16:00Z Indexed on 2010/04/09 16:23 UTC
Read the original article Hit count: 401

Filed under:
|

Hi,

I have recently taken on a project in which I need to integrate with PHP/SQL Server. I am looking for the quickest and easiest function to prevent SQL injection on SQL Server as I prefer MySQL and do not anticipate many more SQL Server related projects.

Is this function sufficient?

$someVal = mssql_escape($_POST['someVal']);

$query = "INSERT INTO tblName SET field = $someVal";

mssql_execute($query);

function mssql_escape($str) {
    return str_replace("'", "''", $str);
}

If not, what additional steps should I take?

© Stack Overflow or respective owner

Related posts about sql-injection

Related posts about sql-server