PHP & SQL: Best way to protect this query from SQL injections NOT using PDO?

The Microsoft SQL Driver for PHP provides prepared statements: microsoft.com/downloads/en/details.aspx?... msdn.microsoft.com/en-US/library/cc29618....

You should at least escape the values. PHP Manual - mysql_real_escape_string.

Thanks but using mssql i'm afraid – iamjonesy Oct 20 '10 at 15:32.

$query = sprintf("INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES ('%s','%s','%s','%s','%s')", mysql_real_escape_string($liferavid), mysql_real_escape_string($bmsid), mysql_real_escape_string($autotaskid), mysql_real_escape_string($waspdb), mysql_real_escape_string($cpid)).

Its as simple as useing mysql_real_escape on strings and typecasting on digits / ints / doubles (int)$number; //Safe (double)$double; //Safe mysql_real_escape_string($string); //Safe This used on every piece of data you insert into your database will be safe.

Try Prepare Statements with sprint() $tsql = "INSERT INTO cplinktable (liferayid, bmsid, autotaskid, waspdb, cpid) VALUES (%d, %d, %d, '%s', %d)"; $tsql = sprintf($tsql, $liferayid, $bmsid, $autotaskid, $waspdb, $cpid); echo $tsql; // you would execute this but printing to the screen to show the query.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.