Click to See Complete Forum and Search --> : Prevent injection MSSql server
ktsirig
October 16th, 2007, 04:56 AM
Hello,
I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?
Thank you
andreasblixt
October 16th, 2007, 06:50 AM
It's up to the client to escape the query that it sends to the server. The server cannot know if the client meant for an extra apostrophe to be there or not.
If you're accessing the database through .NET, this is handled automatically when using the SqlCommand object and parameters:
SqlCommand command = new SqlCommand("SELECT a, b, c FROM table WHERE id = @id", connection);
command.Parameters.AddWithValue("@id", 123);
SqlDataReader reader = command.ExecuteReader();
hspc
October 16th, 2007, 09:23 AM
as andreasblixt said, the best way is to use parameterized queries.
In PHP: you can use: mssql_init,mssql_bind,mssql_execute functions.
hensa22
October 17th, 2007, 11:57 AM
Hello,
I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?
Thank you
if you want to avoid attack sql injection, you have to user place holder in your app and avoid to generate sql statements
it's wrong
strSQL="select * from table where field1='" & anydata & "'"
codeguru.com
Copyright Internet.com Inc., All Rights Reserved.