Prevent SQL injection – simple sanitization!

After consulting online resources and having in-depth discussions with our DB gurus about how to prevent SQL injection for MSSQL I came up with a simple function to clean up data.

The function:

 function mssqlSafeRecursive($inputData){
return array_map('mssqlSafeRecursive',$inputData);

$inputData = str_replace("'", "''", $inputData);
$inputData = str_ireplace(array(';', '--', 'select', 'insert', 'xp_'), '', $inputData);
return $inputData;

You can feed it a string or an array.

This could be run on the POST array after a form is submitted.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.