0

http://www.php.net/manual/en/book.mssql.php

I am using that to connect from a LAMP environment to SQL Server. I noticed I don't have the neet functions like prepared statement and real_escape_string.

How can I make my query as secure as possible? Any help is appreciated.

Don't suggest me to use ODBC or PDO, I don't have that option. I have to run with what I have, and that's MSSQL.

$con = mssql_connect ('xxx', 'xxx', 'xxx');

mssql_select_db('xxx', $con);

$qry = "SELECT 
            firstname
    FROM 
            person
    where firstname = '{$firstname}'";

$query = mssql_query($qry, $con);
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
vick
  • 476
  • 6
  • 18

4 Answers4

2

Don't use literals, use parameters and bind them to your query:

$con = mssql_connect ('xxx', 'xxx', 'xxx');
mssql_select_db('xxx', $con);
$qry = 'SELECT firstname
     FROM person
    where firstname = @firstname';
mssql_bind ($qry, '@firstname', $firstname, SQLVARCHAR);
$query = mssql_query($qry, $con);
Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
  • 1
    according to the docs, "mssql_bind — Adds a parameter to a stored procedure or a remote stored procedure" ...this won't work in my case since it's not a stored procedure. – vick Jul 26 '11 at 19:54
1

The MSSQL binding supports prepared statements just fine.

The documentation is your friend.

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
  • 1
    I did read the documentation, I couldn't find it.. mssql_bind is only for stored procedures. – vick Jul 26 '11 at 19:56
1

You can use htmlentities() to convert html elements into html entities and this function accepts a third argument which is for escaping single and double quotes.

Here is the signature of the function:

string htmlentities ( string $string [, int $flags = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] )

and the arguments that second parameters may take:

ENT_COMPAT Will convert double-quotes and leave single-quotes alone.

ENT_QUOTES Will convert both double and single quotes.

ENT_NOQUOTES Will leave both double and single quotes unconverted.

ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Added in PHP 5.3.0. This is provided for backwards compatibility; avoid using it as it may have security implications.

And

You can simply use addslashes() with htmlentities()

and also there is another function with cleans html tags out from the fields which is filter_var () and such example look would be:

$return_value = filter_var($data_to_be_filtered,FILTER_SANITIZE_STRING);

Important

Don't forget to check whether magic_quotes are enabled or not. You can do that by writing :

if(get_magic_quotes_gpc())
    //do something

More about magic_quotes: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc

Edit:

You can do more secure transaction by using prepared-statements. They prevent SQL-Injection.

Sample code:

$db = new mysqli();
$db->real_connect($host,$username,$password,$db) or die("Cannot connect");
$query = "select name from users where id = ?";
$st = $db->prepare($query); //faster than normal query run
$st->bind_param("d",$id);
$st->execute();
$st->bind_result($name);
$st->fetch();
echo $name;
Tarik
  • 79,711
  • 83
  • 236
  • 349
0

Mssql doesn't supply a function to escape your query. One option is to use "addslashes()" instead, although it is somewhat ugly (and doesn't encompass everything)

This might be helpful: How to escape strings in SQL Server using PHP?

Community
  • 1
  • 1
Chris
  • 1,569
  • 2
  • 11
  • 18
  • how does that make it more secure? – vick Jul 25 '11 at 23:34
  • It prevents it from SQL injections, which is your biggest fear with SQL queries. – Chris Jul 25 '11 at 23:36
  • Unfortunately, addslashes() is - at best - half of a solution (as this person has already been told in other help fora). It's pretty trivial to break addslashes(). – TML Jul 25 '11 at 23:43
  • Sorry, Chris, I was trying to emphasize the point for vick, not disparage your answer. :) – TML Jul 25 '11 at 23:58
  • Actually there is a function with returns quoted string with slashed. Please check this function which is a native mySQL function :http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_quote – Tarik Jul 26 '11 at 02:45
  • how is escaping or removing slashes preventing sql injections? – vick Jul 26 '11 at 19:57
  • @vick addslashes() attempts to escape SQL injection characters such as single quotes. – TML Jul 26 '11 at 21:07
  • @Braveyard - he's using Microsoft SQL Server (MSSQL), not MySQL. – TML Jul 26 '11 at 21:07
  • @TML : Oooo sorry I didn't see that... :) When PHP comes into play, it reminds me mySQL all the time :) – Tarik Jul 26 '11 at 21:18