Prevent SQL injection in PHP

Question

Possible Duplicate:
How to escape strings in MSSQL using PHP?

I am making a system and I need to prevent SQL injection. I'm using PHP and SQL Server 2008 R2. Basically what I'm wondering is if I can just use:

mysql_real_escape_string

or is there a specific one for SQL Server. Any feedback appreciated.

I think mysql real escape string should be sufficient for you, I'm not sure though wait for other answers. — Madara's Ghost, Aug 27 '11 at 17:46
@BookOfZeus, no, that's not a dupe of this question, since it doesn't address MSSql — John Carter, Aug 27 '11 at 17:48
@Rikudo Sennin, no you are wrong. `mysql_real_escape_string` is the function to be used with MySql not MSSQL — Ibrahim Azhar Armar, Aug 27 '11 at 17:55
@Ibrahim Azhar Armar.You're right. This is an almost exact duplicate. Must have missed this one but it helps. Thanks — MaxI, Aug 28 '11 at 04:56

score 2 · Accepted Answer · answered Aug 27 '11 at 17:48

2

I would suggest start using PDO. this way you could use parametrized query which will take care of almost everything for you including SQL injection plus it supports a very large RDBMS including MSSQL.

Here are some of the topic to get you started.

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

http://www.php.net/manual/en/book.pdo.php

answered Aug 27 '11 at 17:48

Ibrahim Azhar Armar

25,288
35
131
207

An even better solution. – Madara's Ghost Aug 27 '11 at 17:50
Thanks Ibrahim. Now to read and use PDO. Infact I read somewhere using escape strings isn't really that secure. Thanks – MaxI Aug 28 '11 at 04:58
I know this question was asked in 2011, but as of 2013 PDO no longer supports MSSQL. – gal Feb 23 '13 at 23:44
@Andrew, nowhere i could find a source mentioning that PHP no longer supports MSSQL, not even in PHP manual. in fact in PHP manual it is clearly mentioned that PDO supports MSSQL, here is the source http://php.net/manual/en/ref.pdo-sqlsrv.php , – Ibrahim Azhar Armar Feb 24 '13 at 02:54
Sorry - I posted that when I was a bit tired earlier - I think my intent was to address that there are a bunch of no-longer-supported drivers: PDO_BDLIB, PDO_ODBC, PDO_SQLSRV, MSSQL, and SQLSRV are floating around, but only PDO_SQLSRV and SQLSRV are still supported/recommended for Windows (I believe). MSSQL is actually an entirely separate driver from anything involving PDO and was never related. My bad. – gal Feb 24 '13 at 05:32
This answer also isn't helpful if you have no choice but to use these functions in a legacy system but this question hits the top of Google results. – Hippyjim Sep 19 '14 at 07:43

score 0 · Answer 2 · answered Aug 27 '11 at 17:49

I have a calss I built for my project, maybe it can help you out

    <?php

    class clean
    {
        public static function stripJS($input)
        {
            return preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $input);
        }

        public static function email($input)
        {
            return clean::stripJS(filter_var($input, FILTER_SANITIZE_EMAIL));
        }

        public static function noTags($input)
        {
            return strip_tags(clean::stripJs($input));
        }

        public static function dbIN($input)
        {
            return mysql_real_escape_string(self::stripJS($input));
        }

        public static function dbOUT($input)
        {
            return stripslashes($input);
        }
    }

$input = clean::dbIN($input);

    ?>

score -1 · Answer 3 · answered Aug 27 '11 at 17:46

-1

You can't use the mysql specific escape function.

Use something that deals in bound parameters.

answered Aug 27 '11 at 17:46

Quentin

914,110
126
1,211
1,335

He is using Microsoft SQL not MySql – William T Wild Jun 14 '17 at 16:02
@WilliamTWild — Yes, they are. How does that many any statement in this answer wrong? – Quentin Jun 14 '17 at 16:03

Prevent SQL injection in PHP

3 Answers3