Home/ Questions/Q 6607293
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T19:29:17+00:00

How can I modify this code to improve protection against sql injection and other

  • 0

How can I modify this code to improve protection against sql injection and other threats? It is a MS SQL database.

<?php include_once("db.php"); ?>

<?php
$id = $_REQUEST['id'];
settype($id, 'string');

$tsql = "SELECT Table1.Fund FROM Table1 WHERE Table1.Fund='%s'";
$tsqlnew=sprintf($tsql, $id);

$stmt = sqlsrv_query( $conn, $tsqlnew);
if( $stmt === false)
{
echo "Error in query preparation/execution.\n";
die( print_r( sqlsrv_errors(), true));
}

$chd = '';

while( $data = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC))  {
$chd .= '[\''.$data['Fund'] .'\'],';
}
$chd = substr($chd,0,-1);

?>

I’m also wondering if my db connection can be improved. Thanks for your help!

<?php

$myServer = "server";
$myUser = "userPlaceHolder";
$myPass = "passwordPlaceHolder";
$myDB = "SQL";

$conn = sqlsrv_connect($myServer, array('UID'=>$myUser, 'PWD'=>$myPass, 'Database'=>$myDB));

if( $conn === false )
{
echo "Could not connect.\n";
die( print_r( sqlsrv_errors(), true));
}
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You code does exactly NOTHING to prevent injection attacks. Merely forcing variable to have a string-data type is exactly as much protection as a piece of toilet paper provides against a tsunami.

    To prevent injection attacks, you must escape all data that you insert into a query string, whether it’s user-provided or something you yourself have created/inserted.

    Best option is to use prepared statements, which relieves you of the responsibility of escaping data.

    Even if the data being inserted isn’t “malicious”, any SQL metacharacters (quotes in particular) can still destroy the query and cause syntax errors.

    • 0