SQL Injection with PHP + Sqlserver

Asked

Viewed 286 times

5

How can I prevent SQL Injection from input via POST using PHP + Sqlserver. (Using Microsoft SQL Server => mmsql)

I’m doing the data abstraction of a comic that runs MYSQLI and in this case is done this way.

$Email= mysqli_real_escape_string($conexao, $_POST['Email']);
$Senha= mysqli_real_escape_string($conexao, $_POST['Senha']);
php sql-server

  • PDO is an alternative. Which driver is using?

  • The application uses mssql JDBC in SQL

  • mssql a antiga? sobre o Pdo => http://answall.com/a/68238/91

  • ODBC or JDBC? There’s something weird there.

  • current http://php.net/manual/en/book.mssql.php @rray

  • in BD SQL is /Volumes/Razorsql/Razorsql.app/Contents/Java/drivers/jtds/jtds12.jar and net.sourceforge.jtds.jdbc.Driver was almost rs..

  • Let’s go continue this discussion in chat.

  • 1

    The mssql extension has been removed from php7 and since 5.3 for windows it is not inlcuidado it is highly recommended not to use it.

Show 3 more comments

1 answer

2

There are two drivers to connect SQL Server to PDO and SQLSRV, There are several questions about the specific PDO for SQL Server, since the instation and configuration, creation of the connection and the other aspects of the library.

Making the connection:

$servidor = 'ip ou servidor\instancia';
$db = 'test';
$usuario = 'user';
$senha = 'pass';        

$conexao = sqlsrv_connect($servidor, array('Database' => $db, 'UID' => $usuario, 'PWD' => $senha));

Escaping characters does not prevent or resolve the sql injections problem as shown that answer, the best way to tackle this problem is to filter user inputs properly and use Prepared statements.

For DML(Insert, update or delete) do this code, this is just an example please do not store passwords in plain text format in the database.

$sql = "INSERT INTO usuarios(email, nome, senha) VALUES(?,?,?)";

$email = "[email protected]";
$nome = "Doge";
$senha = "wowsuchsecret";

$stmt = sqlsrv_prepare( $conexao, $sql, array($email, $nome, $senha));
if( !$stmt ) {
    die( print_r(sqlsrv_errors());
}

Select:

$sql = "SELECT * FROM usuarios";
$stmt = sqlsrv_query($conexao, $sql);
if( $stmt === false) {
    die(print_r(sqlsrv_errors()));
}

while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC) ) {
      echo $row['nome']." - ".$row['email']."<br />";
}

  • Unfortunately this does not work for me because I connect remotely via mssql_connect

Browser other questions tagged php sql-server

You are not signed in. Login or sign up in order to post.