After consulting online resources and having in-depth discussions with our DB gurus about how to prevent SQL injection for MSSQL I came up with a simple function to clean up data.
The function:
</code> function mssqlSafeRecursive($inputData){ if(is_array($inputData)){ return array_map('mssqlSafeRecursive',$inputData); } $inputData = str_replace("'", "''", $inputData); $inputData = str_ireplace(array(';', '--', 'select', 'insert', 'xp_'), '', $inputData); return $inputData; }
You can feed it a string or an array.
This could be run on the POST array after a form is submitted.