Prevent injection MSSql server

[ktsirig]

Hello,
I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?

Thank you

[andreasblixt]

It's up to the client to escape the query that it sends to the server. The server cannot know if the client meant for an extra apostrophe to be there or not.

If you're accessing the database through .NET, this is handled automatically when using the SqlCommand object and parameters:

Code:

SqlCommand command = new SqlCommand("SELECT a, b, c FROM table WHERE id = @id", connection);
command.Parameters.AddWithValue("@id", 123);
SqlDataReader reader = command.ExecuteReader();

[hspc]

as andreasblixt said, the best way is to use parameterized queries.
In PHP: you can use: mssql_init,mssql_bind,mssql_execute functions.

[hensa22]

Hello,
I wanted to ask if anyone knows of a way to prevent injection in an SQL SERVER 2005. I mean, is there any way to do all the blocking in the server and not have to escape each special character one-by-one?
For example, in PHP I used mysql_escape_string and automatically the string was OK to send to the database... Is there something similar in SQL Server?

Thank you

if you want to avoid attack sql injection, you have to user place holder in your app and avoid to generate sql statements

it's wrong

Code:

strSQL="select * from table where field1='" &  anydata  &  "'"