Jump to content

Archived

This topic is now archived and is closed to further replies.

ebolt007

no mssql_real_escape_string

Recommended Posts

Since Mssql doesn't have an escape string for input information, is there anything that anyone has to protect inputs against sql injections?

Share this post


Link to post
Share on other sites

This may be a retarded question, but I never really got the grasp of functions. How would I implement a function like this on a post of a variable like the following?

 

Say I have a headline input field called:

 <input  class="sign_up_input_area_main" type="text" name="Headline" value="<?echo $headline_2?>" size="98" />

 

and my post action is

$headline_1 = trim($_POST['Headline']); 
        $headline_2 = strip_tags($headline_1);
        $headline_3 = stripslashes(str_replace("'", "''", ($headline_2)));

 

And what do you mean "prepared statements?

Thanks

Share this post


Link to post
Share on other sites

MSSQL is discontinued as of PHP 5.2.x or something like that. The new more efficient method of connecting PHP with SQL Server is with the drivers specified above (SQLSRV).

 

In answer to your question, you could use the function detailed by premiso - how secure that is I don't know. This would be implemented during the execution script where you process your form data.

 

I personally feel a better method is to use stored procedures which (as far as I know) are near on impossible to break through as the syntax would just cripple the SQL Server if it were to be manipulated.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.