Prevent SQL injection – simple sanitization!

After consulting online resources and having in-depth discussions with our DB gurus about how to prevent SQL injection for MSSQL I came up with a simple function to clean up data.

The function:

</code>
 function mssqlSafeRecursive($inputData){
if(is_array($inputData)){
return array_map('mssqlSafeRecursive',$inputData);
}

$inputData = str_replace("'", "''", $inputData);
$inputData = str_ireplace(array(';', '--', 'select', 'insert', 'xp_'), '', $inputData);
return $inputData;
 }

You can feed it a string or an array.

This could be run on the POST array after a form is submitted.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s