Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m working on a PHP MSSQL project that is using the sqlsrv driver.
What’s the best way to stop SQL injection attacks? I need something like mysql_real_escape_string() but for sqlsrv driver.
The best way is not to write your SQL so that you need to use an analogue of
mysql_real_escape_string(), which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled bymysql_real_escape_string()) when you execute the statement or open the cursor or whatever.Failing that, look at the output of
mysql_real_escape_string(); it might be appropriate for MS SQL Server too. It depends on how it does the escaping (and what escaping it does).