What are some alternatives to mysql_real_escape_string for securing input against SQL injection in PHP when using MS SQL Server?

When using MS SQL Server in PHP, the equivalent function to mysql_real_escape_string for securing input against SQL injection is sqlsrv_escape_string. This function escapes special characters in a string to prevent SQL injection attacks. It should be used to sanitize user input before constructing SQL queries.

// Establish a connection to the MS SQL Server database
$serverName = &quot;localhost&quot;;
$connectionOptions = array(
    &quot;Database&quot; =&gt; &quot;your_database&quot;,
    &quot;Uid&quot; =&gt; &quot;your_username&quot;,
    &quot;PWD&quot; =&gt; &quot;your_password&quot;
);
$conn = sqlsrv_connect($serverName, $connectionOptions);

// Sanitize user input using sqlsrv_escape_string
$userInput = &quot;input from user&quot;;
$sanitizedInput = sqlsrv_escape_string($userInput);

// Use the sanitized input in your SQL query
$sql = &quot;SELECT * FROM your_table WHERE column_name = &#039;$sanitizedInput&#039;&quot;;
$query = sqlsrv_query($conn, $sql);

// Don&#039;t forget to close the connection when done
sqlsrv_close($conn);

Keywords

MS SQL Server SQL injection PHP prepared statements PDO

What are some alternatives to mysql_real_escape_string for securing input against SQL injection in PHP when using MS SQL Server?

Keywords

Related Questions