Is this sufficient to prevent query injection while using SQL Server?
Posted
by Derek Adair
on Stack Overflow
See other posts from Stack Overflow
or by Derek Adair
Published on 2010-04-09T16:16:00Z
Indexed on
2010/04/09
16:23 UTC
Read the original article
Hit count: 401
sql-injection
|sql-server
Hi,
I have recently taken on a project in which I need to integrate with PHP/SQL Server. I am looking for the quickest and easiest function to prevent SQL injection on SQL Server as I prefer MySQL and do not anticipate many more SQL Server related projects.
Is this function sufficient?
$someVal = mssql_escape($_POST['someVal']);
$query = "INSERT INTO tblName SET field = $someVal";
mssql_execute($query);
function mssql_escape($str) {
return str_replace("'", "''", $str);
}
If not, what additional steps should I take?
© Stack Overflow or respective owner