Skip to content
Advertisement

PHP, ODBC, and SQL Injection

How does one prevent against SQL injections when using ODBC to connect to a MS SQL Server? odbc_prepare() doesn’t work (see my open question) due to bugs unixODBC, and there is no _escape or _quote function for ODBC, either.

Additionally, PDO has a bad, 6 year-old bug where if a result returns a NULL in any column, the entire resultset comes back null (at least when connected to MSSQL over ODBC).

So what can I possibly do to guard against SQL injections?

Advertisement

Answer

Although this is an old question and odbc_prepare() is pretty much deprecated.

What you should do is use PDO instead:

$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Use the MSSQL driver's native prepared statements.
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, FALSE);

This should work.

User contributions licensed under: CC BY-SA
5 People found this is helpful
Advertisement