PHP and MSSQL, how to make it secure?

Don't use literals, use parameters and bind them to your query: $con = mssql_connect ('xxx', 'xxx', 'xxx'); mssql_select_db('xxx', $con); $qry = 'SELECT firstname FROM person where firstname = @firstname'; mssql_bind ($qry, '@firstname', $firstname, SQLVARCHAR); $query = mssql_query($qry, $con).

According to the docs, "mssql_bind — Adds a parameter to a stored procedure or a remote stored procedure" ...this won't work in my case since it's not a stored procedure. – vick Jul 26 at 19:54.

The MSSQL binding supports prepared statements just fine. The documentation is your friend.

I did read the documentation, I couldn't find it.. mssql_bind is only for stored procedures. – vick Jul 26 at 19:56.

You can use htmlentities() to convert html elements into html entities and this function accepts a third argument which is for escaping single and double quotes. Here is the signature of the function: string htmlentities ( string $string , int $flags = ENT_COMPAT , string $charset , bool $double_encode = true ) and the arguments that second parameters may take: ENT_COMPAT Will convert double-quotes and leave single-quotes alone. ENT_QUOTES Will convert both double and single quotes.

ENT_NOQUOTES Will leave both double and single quotes unconverted. ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Added in PHP 5.3.0.

This is provided for backwards compatibility; avoid using it as it may have security implications. And You can simply use addslashes() with htmlentities() and also there is another function with cleans html tags out from the fields which is filter_var () and such example look would be: $return_value = filter_var($data_to_be_filtered,FILTER_SANITIZE_STRING); Important Don't forget to check whether magic_quotes are enabled or not. You can do that by writing : if(get_magic_quotes_gpc()) //do something More about magic_quotes: http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc Edit: You can do more secure transaction by using prepared-statements.

They prevent SQL-Injection. Sample code: $db = new mysqli(); $db->real_connect($host,$username,$password,$db) or die("Cannot connect"); $query = "select name from users where id =? "; $st = $db->prepare($query); //faster than normal query run $st->bind_param("d",$id); $st->execute(); $st->bind_result($name); $st->fetch(); echo $name.

Mssql doesn't supply a function to escape your query. One option is to use "addslashes()" instead, although it is somewhat ugly (and doesn't encompass everything) This might be helpful: How to escape strings in MSSQL using PHP?

– vick Jul 25 at 23:34 It prevents it from SQL injections, which is your biggest fear with SQL queries. – Chris Jul 25 at 23:36 Unfortunately, addslashes() is - at best - half of a solution (as this person has already been told in other help fora). It's pretty trivial to break addslashes().

– TML Jul 25 at 23:43 1 As my answer has already said... – Chris Jul 25 at 23:54 Sorry, Chris, I was trying to emphasize the point for vick, not disparage your answer. :) – TML Jul 25 at 23:58.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.