How does one prevent against SQL injections when using ODBC to connect to a MS SQL Server? odbc_prepare()
doesn’t work (see my open question) due to bugs unixODBC, and there is no _escape
or _quote
function for ODBC, either.
Additionally, PDO has a bad, 6 year-old bug where if a result returns a NULL in any column, the entire resultset comes back null (at least when connected to MSSQL over ODBC).
So what can I possibly do to guard against SQL injections?
Advertisement
Answer
Although this is an old question and odbc_prepare()
is pretty much deprecated.
What you should do is use PDO instead:
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Use the MSSQL driver's native prepared statements. $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, FALSE);
This should work.