no mssql_real_escape_string

[ebolt007]

Since Mssql doesn't have an escape string for input information, is there anything that anyone has to protect inputs against sql injections?

[premiso]

function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}

 

Taken from:

http://stackoverflow.com/a/574821/398519

[dzelenika]

Use prepared statements, so you don't need to worry about SQL injection.

[ebolt007]

This may be a retarded question, but I never really got the grasp of functions. How would I implement a function like this on a post of a variable like the following?

 

Say I have a headline input field called:

 <input  class="sign_up_input_area_main" type="text" name="Headline" value="<?echo $headline_2?>" size="98" />

 

and my post action is

$headline_1 = trim($_POST['Headline']); 
        $headline_2 = strip_tags($headline_1);
        $headline_3 = stripslashes(str_replace("'", "''", ($headline_2)));

 

And what do you mean "prepared statements?

Thanks

[dzelenika]

http://www.php.net/manual/en/pdo.prepare.php

 

If you don't want to use PDO and you're on windows there's also excellent Microsoft's SQL Server Driver for PHP here available:

http://msdn.microsoft.com/en-us/sqlserver/ff657782.aspx

 

[cpd]

MSSQL is discontinued as of PHP 5.2.x or something like that. The new more efficient method of connecting PHP with SQL Server is with the drivers specified above (SQLSRV).

 

In answer to your question, you could use the function detailed by premiso - how secure that is I don't know. This would be implemented during the execution script where you process your form data.

 

I personally feel a better method is to use stored procedures which (as far as I know) are near on impossible to break through as the syntax would just cripple the SQL Server if it were to be manipulated.